[arch-general] [arch-dev-public] signoffs are dead
kyleterrien at gmail.com
Wed Jun 29 02:28:10 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
I am replying to arch-general because arch-dev-public is closed to most
On Tue, 28 Jun 2016 08:09:41 -1000
Gaetan Bisson <bisson at archlinux.org> wrote:
> Dear all,
> For a while now packages in [testing] have gotten little to no
> signoffs and I've been moving mine to [core] after a week without
> feedback. I suspect many of you have been doing this too. Here's the
> signoff reports over the last ten days:
> - June 19: 0 signoffs
> - June 20: 6 from me, 4 from anthraxx
> - June 21: 0
> - June 22: 5 from me
> - June 23: 2 from demize
> - June 24: 1 from me
> - June 25: 0
> - June 26: 1 from me
> - June 27: 3 from me, 1 from eworm
> - June 28: 3 from heftig, 2 from arojas
> So I've decided to shorten the wait in [testing] to 48 hours. Many
> updates to [core] packages include security fixes and they have better
> move sooner rather than later. We used to be able to gather enough
> signoffs to move these within a day or two, and that's what I intend
> to do with or without signoffs.
> Any comment, and especially any other idea to fix this situation, is
First, I am an Arch user (for 3 years now) not an Arch dev, and I
realize I have no right to tell anyone how to run the distribution.
What follows is just my personal recommendation based on working
software QA professionally.
With that said, I think eliminating signoffs is a bad idea.
Signoffs ensure some form of quality control. A signoff is an explicit
approval from someone that the package is satisfactory to his/her
standards. A potential signee has a completely different perspective
than the packager and a different way of verifying that the packager's
package is correct. This sort of approval process catches errors that
would otherwise escape the packager's notice. Simply waiting a period
of time without hearing complaints is not equivalent to explicit
approval from others.
I have personally experienced several breakages in the past several
months--more than usual. A few were big enough that simply running 'foo
- --version' should have revealed a problem (i.e. linking problems). A
signoff process would have very likely caught these problems.
IMHO, the correct thing to do is remind other developers of the signoff
policy. (And the above post to arch-dev-general certainly does just
that.) Encouraging another set of eyes to look at someone's work and
say, "This looks good to me," is a very good thing and does wonders in
terms of quality control.
If getting security fixes pushed out is a concern, then getting the
security related fixes signed off should be prioritized. (Maybe by
putting in a flag that automatically triggers a mail to arch-dev-public)
- --Kyle Terrien
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the arch-general