Updates QA/karma question

Michael Schwendt mschwendt at gmail.com
Sat Dec 13 11:42:01 UTC 2008

On Fri, 12 Dec 2008 09:25:19 -0700, Orion wrote:

> Another update issue that raises some questions -
> - Does anyone actually read the comments in bodhi before allowing the 
> push request to proceed?

Interesting issue, but it's not the first time this has happened.

So, to sum up:

* Some package maintainers insist on receiving problem reports for updates
in bugzilla. In general, there's no guarantee, however, the bz ticket will
be seen early enough to prevent a bad test-update from being pushed to
stable. So, additional negative karma in bodhi seems to be the way to go.

* Some people suggest that one has to enter bz ticket numbers in bodhi
before becoming able to give negative karma. (I think that would be a
waste of time for lots of cases)

* Some package maintainers do notice negative karma in bodhi, but they
choose to ignore it in cases where they think an issue is not worse
enough. Even if it causes regression for some users, they mark an update
as stable, because they expect it to fix other issues.

* Communication problems between maintainers with regard to inter-package
dependencies. Maintainer "A" asks maintainer "B" about a needed update of
another package. "B" tells "A" which newer version is supposed to be
sufficient. "A" then proceeds in bodhi without making sure that the needed
update from "B" is released or that both updates will be pushed _at
once_. Unclear here: The change in bodhi which requires that both
maintainers have pkg cvs devel commit access for the relevant pkgs in
order to submit update requests for them. Else bodhi's group updates
would be the way to fix this and push rpcbind together with 
selinux-policy-targeted in a single set.

> - Should update submitters be allowed to give positive karma to their 
> updates?  Seems like that they are too biased.

Agreed. Some spend positive karma on mass-updates without even having
installed their packages on all dists. For example, some broken deps
make it impossible to install a package with rpm/yum/... and require
the --nodeps option.

> - Is there any requirement that an update have positive karma before 
> being pushed to stable?

No, not at all.

That's a fault IMO. Many more updates ought to rely on the automatic
pushing based on the minimum positive karma threshold. If package
maintainers (and sufficiently privileged staff) retained the power to push
an update despite its karma level, but only with a good rationale, the
act of sabotage would become impossible and less attractive. (read:
hostile users could not block an update from being pushed)

> As of now, rpcbind will fail to start on F-9 with selinux in enforcing 
> mode (esp. important on servers!) until 
> selinux-policy-targeted-3.3.1-115.fc9 is pushed to stable.  Seems like 
> we could have waited for that.

I've thought "group updates" are supposed to fix that. Those are updates
for multiple package at once. If one of the set/group of pkgs is bad and
leads to too much negative karma while in updates-testing, the entire set
of pkgs will be pulled.

> We really need to work on this updates system.

See Luke Macken's recent blog entry about some bodhi metrics. Several
available features would be helpful *if* they were used more, instead
of listening to fan-boys and early +1 voters (who even vote on pkgs
downloaded from koji).

More information about the fedora-devel-list mailing list