changes are needed, we need keep moving

[Pekka Savola]

On Fri, 3 Jun 2005, Eric Rostetter wrote:
>>> If you mean that it only takes 1 verify vote for any version of an update
>>> to publish an update (across all versions) than I stand by what I said.
>>> Otherwise, I'd have to ask that you clarify what you mean.
>>
>> Yes, this is what I said.  It currently requires 1 verify vote to
>> VERIFY one version (in the past, the rules said two for each, but
>> packages never got out that way so it has been taken down to 1).
>
> That is very bad.  We really need to restore it to 2 votes.  One vote
> isn't enough.  Seriously.
>
> If we're not able to get 2 votes, then plea to the list for the second.
> If we still don't get 2 votes then we need to disband this project, or
> change it into a different project.
>
> Seriously, if we can't get 2 votes for a package, then there is a real
> problem going on.

It's pretty clear we've had a real problem going on for a long time.

(A smaller, specific instance of lack of testing seems to be that 
sufficiently many people aren't interested in FC1/FC2 and lack of 
verifies for those stall the updates for other distros.)

>> What I say is that if folks don't care enough to report their
>> successes or problems within two weeks of someone formally first test
>> of the package, they deserve what they get.
>
> That isn't the point of the project though.  It would be much better to
> get two votes.  Heck, if you do one, and I do one, we're done.  The only
> time that would be a problem is the once or twice a year we go on vacation.

That doesn't seem to have happened all that much, however.

>> That said, I could also live with two verify votes (for any version)
>> plus the similar timeout, but I think timeliness is more important.
>
> I can agree to 2 votes plus timeout.  If we give 2 weeks for the votes,
> and 2 additional weeks for the timeout, then everything is done in one
> month.  Sounds reasonable to me.

4 weeks is a long time for more important security bugs.  2 weeks is 
maximum after the stuff has been pushed to updates-testing (which 
typically has also taken quite a while).

>> FYI, one verify vote is sufficient to VERIFY a distro version right
>> now, so this is why I said one measly verify vote.
>
> I wasn't aware of this; last I knew we still needed two votes.  How/when
> did this change?

A long time ago, maybe a bit over 6 months or so ago.

>> We can't avoid these errors completely by testing, because there just
>> aren't enough people willing to do the testing and report the errors.
>> We'll just have to publish and revise if something breaks.
>
> But we can try better/harder to get more votes (including say, getting me
> to test/vote more, and getting those who run updates-testing but don't
> vote to vote).

I encourage you and others to do that.  However, IMHO, we've stalled 
already long enough with that and folks (yourself included) have 
started (or already done) moved away from some releases.

I suggest we make some process changes now (I don't specify which, but 
the impact has to be significant), AND you (and others) try to get 
more people to do QA as well.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings