changes are still needed

Pekka Savola pekkas at netcore.fi
Mon Jun 13 11:27:59 UTC 2005 

It would be interesting to hear what others think the direction should 
be.  If you think "just pick a direction, I don't care which", stating 
so wouldn't hurt either.

On Sun, 12 Jun 2005, Eric Rostetter wrote:
>> published after 2 weeks of timeout unless needswork/discuss or issues
>> are identified.
>
> If we assume the person who created the package has done some QA before
> submitting it for QA, then one vote could be seen as two, unless that
> only vote is from the creator. I'm not sure why some/most package creators
> don't submit QA feedback on their own packages, but maybe we can get
> them to do so in the future?
>
> Anyway, if the creator posts a QA, this would guarantee all packages get
> released in 2 weeks.  I like that everything gets out, but I think 2 weeks
> is maybe too fast for only the creator doing QA (possibly on only one OS
> version for a patch that covers multiple OS versions).  See my concern
> here?
>
> I guess you could modify it as "1 VERIFY from someone other than the
> package/patch creator" but...

Purely from the administrative perspective, IMHO, the package creator 
must not give PUBLISH or VERIFY votes, though such can be implicit. 
There is too much conflict of interest there, so recusing is IMHO the 
only option.

>>   2) 2 VERIFY votes are needed (for any version), after that packages
>> are published after 2 weeks of timeout unless needswork/discuss or
>> issues are identified.
>
> I like this one, and could live with it.  Even if the creator does a QA,
> the creator must do multiple OS version QA, or we still need someone else
> to do QA. This is much better than #1 because a creator can't force an
> otherwise untested package out the door.
>
>>     a) timeout is counted from the first VERIFY
>>     b) timeout is counted from the second VERIFY
>
> It seems to be logical it would have to be after the second, since there
> could be more than 2 weeks between the first and second...

I'm OK with either approach, but I'd prefer a) with the interpretation 
that the creator does not do formal QA (so if you'd always count that 
as one, it would be equivalent to what you're thinking).

>>   3) 2 VERIFY votes are needed (for any version), after that packages
>> are published after at most 4 weeks of timeout after the first verify,
>> but two weeks after the second, unless needswork/discuss or issues are
>> identified.
>
> I think this is the very best.  I'd also be able to settle for a modified
> version:
>
> 1 verify vote (for any version) plus 4 weeks of no activity, or 2 verify
> votes (for any version) and 2 weeks of no activity after the first
> verify vote.
>
> The above modification means everything is released (if the creator
> does a QA) after at most 4 weeks...

As stated above, I don't think we should recommend (or even allow) the 
package creator doing QA for his/her own packages.  That's the other 
people's job, and ensures the logical separation of functions.

Of course, we could assume that most package creators do test the 
packages they create, and implicitly include that here (i.e., require 
just one "external" verify vote to approve a package after a timeout).

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

More information about the fedora-legacy-list mailing list