MaintainerResponsibilityPolicy (was Re: Claiming ownership of mantis)

Sun Oct 8 05:31:39 UTC 2006

On Sat, 2006-10-07 at 17:26 -0500, Jason L Tibbitts III wrote:
> >>>>> "GS" == Gianluca Sforna <giallu at gmail.com> writes:
> GS> Anyway ( sorry for being clueless ) why should we worry about
> GS> legacy distros, instead of leaving that to something like an
> GS> "Extras Legacy" SIG?
> 
> And who would do that, exactly?  The security team exists to help, but
> maintenance of a package on all supported Fedora releases is still
> the responsibility of the maintainer of said package.  I don't think
> that anyone expects maintainers to keep a machine with each OS
> revision loaded so that everything can be tested; the community should
> be relied on for some of that.  But when there are security
> problems it's still the maintainer's responsibility to evaluate them
> and evaluate the possible solutions and at least get those evaluations
> into the relevant bugzilla tickets.

No.  This is currently nobody's responsibility.  Which is a problem
which has not yet been adequately addressed.  Many Extras contributors
have signed on to maintain packages for the currently active releases
only (where active does not include Legacy.)  Others have no problems
with supporting Legacy as well.  We don't know how many are in each
camp, only that there are squeaky wheels on both sides.

We need to discuss that aspect of
http://www.fedoraproject.org/wiki/Extras/Schedule/MaintainerResponsibilityPolicy and either make a decision or come up with a plan to make a decision:  FESCo votes?  Extras Contributors vote?  Package by package basis?  Greaco-Roman wrestling competition between the leaders on each side?

I have several problems with the constant claim that it is the
maintainers responsibility to maintain packages until Legacy ends:

1) I didn't sign up for that.  Legacy wasn't brought up with relation to
Extras until long after I joined.

2) The decision to support for that length of time is not something I
had any ability to help determine.  If Extras contributors were able to
help decide how long Legacy support lasts it would be fair to expect
that they would help to make that a reality by maintaining their
packages for that length.  Since this isn't currently the case, it is
unfair to place the burden for supporting that decision on them.  This
is part of the foundation of opensource: those who do the work make the
decisions.

3) The expectations for how a package is maintained while in Legacy mode
are different than in the current releases.  This requires a different
mindset as a packager.  Devel and current releases push for "latest and
greatest" unless that is known to break something.  Legacy releases are
more suited for (but don't require) backports for (required criteria)
security and serious bug fixes.

4) The package maintainer has to accept help to fix architecture
specific problems if offered but isn't responsible for creating the
fixes if they have no access to the arches, why is the expectation
different for releases that the maintainer does not have access to test
on?

5) How many contributors are against being responsible for legacy
releases?  If it's a small number then we either create the legacy
policy and have people that pick up the slack for the few who don't want
to do it (or those people will quit the project in disgust and their
packages will become orphaned on all releases.)  If it's a large number
then attempting to hold people responsible for those releases is going
to be like trying to bail out a sinking ship with a sieve.

-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20061007/31fe25c4/attachment.sig>