LWN: Comments on "Debian debate over tag2upload reaches compromise"

Maybe Open Source Communities Like Debian Differ

smitty_one_each — Sun, 07 Jul 2024 22:23:32 +0000

In my professional experience, when organizational inertia dominates as it has apparently in this case, the reasons are not technical.

The joy of open source is that it's akin to chess, with the pieces in view and the rules understood.

The further off the "chess" course things get, for whatever reasons of personality or politics, the less pleasant they are.

At least with something like Debian, it's unlikely that there is anything nefarious afoot, e.g. someone pocketing money.

Updated security review

rra — Sat, 06 Jul 2024 02:54:14 +0000

For those who are curious about the security analysis specifically, I have an updated security review on my web site that incorporates more of the sprawling discussion, including some corrections and elaborations.

thanks, dgit.debian.org vs. ftp.debian.org, FAQ

spwhitton — Sat, 06 Jul 2024 02:48:59 +0000

Thanks for this, especially for providing links into the old discussions. It must have taken quite some reading to identify those!

One fundamental disagreement is that the tag2upload developers consider dgit.debian.org, the append-only git server which receives the maintainer's signed tags, as no less official than ftp.debian.org. The compromise we have reached is essentially over that issue.

Readers may also be interested in the FAQ we wrote to accompany the formal call for a GR.

salsa

smurf — Fri, 05 Jul 2024 19:43:23 +0000

> There are some problems with using salsa as the ultimate source of truth: it isn't.

It's not intended to be. The signed tag is picked up by t2u and then pushed to an append-only git repository (to check it out: https://browse.dgit.debian.org). That, plus the source archive (the two are supposed to contain the same data after all, at least when you consider the trees linked to the actual tagged commits), is the "source of truth".

Whatever else happens on salsa and/or some other git repository is something Debian will have to deal with sooner or later, true, but that's independent of t2u,

Feeling happy about the move to Debian

atnot — Fri, 05 Jul 2024 12:28:02 +0000

NixOS is probably the nicest implementation of this, yeah. If you're unfamiliar, the whole package set is just one big git repo containing all of the build scripts, with one big public cache that continuously rebuilds it. So there's not really even any "releases" per se, just one git commit hash for the whole distribution.

But you really don't need to go that esoteric to have a nice workflow like that. Pretty much all not too-big-to-fail distros have highly automated packaging that can release updates with a git push or even just a button press on an automatically created PR.

I think even in Fedora you only need to register the upstream release tarball with their internal mirror and put update it's hash in a file these days, at least when I last looked at it. And that's using the venerable RPM, not something newfangled.

Feeling happy about the move to Debian

Baughn — Fri, 05 Jul 2024 11:58:53 +0000

NixOS has its own issues, but that’s precisely how it works. There are even automated VM-based integration tests.

Fascinating

jzb — Thu, 04 Jul 2024 13:34:38 +0000

Thanks, very much appreciated - and thanks for reading!

Fascinating

jzb — Thu, 04 Jul 2024 13:34:16 +0000

Glad that you found it interesting. Thanks much for reading!

Feeling happy about the move to Debian

gurkan — Thu, 04 Jul 2024 13:20:59 +0000

Thank you. You should install popularity-contest and participate, and send info about your usage to https://www.debian.org/users/

Feeling happy about the move to Debian

smurf — Thu, 04 Jul 2024 12:32:57 +0000

> It is certainly a fun, attention-grabbing spectacle to watch

yeah, well, maybe it's fun when you watch it for the first time. The second time you get annoyed, the third time you reach for your blood pressure meds, and after that you wish you could reach for a clue-by-four instead.

I've been a DD for 20 years by now and I'm on semi-hiatus for more than half that time, for precisely this reason.

I'll be back as soon as I can "git push" a program and see it get built (a) immediately and automatically, after passing CI on Salsa, and (b) without watching it go through an arcane upstream-source-tarball-plus-Debian-packaging-plus-explicit-patches-to-upstream dance.

Assuming, that is, that I live long enough (and keep my mental sanity on the way).

Feeling happy about the move to Debian

atnot — Thu, 04 Jul 2024 10:34:38 +0000

There's lots of distributions that manage to make minor techical improvements in less than 5 years without any sort of central dictatorship though. I'll just namedrop Arch, Gentoo, Mint, NixOS, to a lesser extent fedora but I mean it's basically all of them except RedHat and Ubuntu.

The thing that *is* unique about Debian is that whereas most other distributions consider packages and infrastructure shared community endeavors, in debian they are considered sanctimonious personal fiefdoms. Sure, there will be people who focus on specific areas or packages and there will be someone's username listed as a primary contact. But it's not a statement of ownership as much as responsibility. Nobody would get upset if someone else just made some distribution-wide changes to your package, in fact it happens quite regularly. Whereas in debian touching other people's stuff is considered taboo enough that the only way to get anything done is to push the person who maintains the linter to add a lint which might then become an error in 3 years time. This extends across the whole organization, with no way to get a natural, sensible consensus on anything because everything is a power play for who owns what and thus gets to block everything.

It is certainly a fun, attention-grabbing spectacle to watch. Especially compared to other distros where stuff mostly just silently works without major drama (at least of the technical kind). But that doesn't make it effective community governance.

Feeling happy about the move to Debian

madhatter — Thu, 04 Jul 2024 09:48:33 +0000

I've spent the past year migrating a lot of systems from CentOS 7 to Debian. I chose Debian largely because it seemed to me to have an open development process that meant that no single individual would be able to make a decision like the CentOS stream one; this article makes me feel really happy about that decision. It's a great example of lots of people with differing views using an approved process to synthesise something that can gain consensus, and one which is hopefully technically superior to any of the suggestions originally made. Not having a dictator may make things take longer, but I also think it makes them happen better.

salsa

bluca — Thu, 04 Jul 2024 08:16:24 +0000

That's an ACL problem though, that we should fix independently

Fascinating

vasvir — Thu, 04 Jul 2024 07:08:45 +0000

I know that it brings nothing new in the conversation but I have to say that I agree 100% with the parent comment (+1).

salsa

LtWorf — Thu, 04 Jul 2024 06:46:36 +0000

There are some problems with using salsa as the ultimate source of truth: it isn't.

I have done non maintainer uploads to packages that were soon going to be removed due to grave bugs. And when trying to sync salsa with my changes, I found out that I had no write access on that particular repository.

The same happened when someone else made an NMU to some package of mine: I had to sync the changes with salsa.

Since an NMU is usually done in case of important or grave bugs, a new workflow that might result in fewer NMUs being done, could result in issues remaining around for longer (or packages being removed).

Thanks a bunch for the summary!

iustin — Thu, 04 Jul 2024 06:17:49 +0000

A (low-scale) DD here, but I definitely didn't have the energy to keep up with the thread. Even the "tag2upload summary" email became a long thread on its own.

So many, many thanks for the summary!

A small step – often just the first step

smurf — Thu, 04 Jul 2024 05:32:27 +0000

> what amounts to a small compromise and design change

Well, it's one more step towards what could (should??) become a 100% git-centric workflow for building Debian's packages, ultimately threatening to supersede a large chunk of how the project's infrastructure has worked for 30 years — thus obsoleting the work people have spent on the requisite tooling.

The phrase "sunk cost fallacy" might have come up during that mega discussion, as part of the reason why ftpadmin is/was so adamantly against it. It definitely did appear in private exchanges on the topic.

Fascinating

smurf — Thu, 04 Jul 2024 05:23:49 +0000

Still, more than a bit of a kernel of truth there.

Fascinating

dilinger — Thu, 04 Jul 2024 01:48:31 +0000

Source: https://www.debian.org/social_contract

[Yes, it's a joke and I made that up.]

Fascinating

dilinger — Thu, 04 Jul 2024 01:47:42 +0000

Quoting from the Debian Social Contract:

"3. We will not hide problems

You will see how the sausage is made. As a matter of fact, we encourage you to get involved and BECOME the problems!"

Fascinating

jkingweb — Thu, 04 Jul 2024 01:16:28 +0000

I'm often fascinated reading these articles which provide a peek at how things work in Debian. Thank you, Mr. Brockmeier, for the very readable summary.