[arch-general] [arch-dev-public] signoffs are dead

Kyle Terrien kyleterrien at gmail.com
Wed Jun 29 02:28:10 UTC 2016

Hash: SHA256

I am replying to arch-general because arch-dev-public is closed to most

On Tue, 28 Jun 2016 08:09:41 -1000
Gaetan Bisson <bisson at archlinux.org> wrote:
> Dear all,
> For a while now packages in [testing] have gotten little to no
> signoffs and I've been moving mine to [core] after a week without
> feedback. I suspect many of you have been doing this too. Here's the
> signoff reports over the last ten days:
> - June 19: 0 signoffs
> - June 20: 6 from me, 4 from anthraxx
> - June 21: 0
> - June 22: 5 from me
> - June 23: 2 from demize
> - June 24: 1 from me
> - June 25: 0
> - June 26: 1 from me
> - June 27: 3 from me, 1 from eworm
> - June 28: 3 from heftig, 2 from arojas
> So I've decided to shorten the wait in [testing] to 48 hours. Many
> updates to [core] packages include security fixes and they have better
> move sooner rather than later. We used to be able to gather enough
> signoffs to move these within a day or two, and that's what I intend
> to do with or without signoffs.
> Any comment, and especially any other idea to fix this situation, is
> welcome.
> Cheers.

First, I am an Arch user (for 3 years now) not an Arch dev, and I
realize I have no right to tell anyone how to run the distribution.
What follows is just my personal recommendation based on working
software QA professionally.

With that said, I think eliminating signoffs is a bad idea.

Signoffs ensure some form of quality control.  A signoff is an explicit
approval from someone that the package is satisfactory to his/her
standards.  A potential signee has a completely different perspective
than the packager and a different way of verifying that the packager's
package is correct.  This sort of approval process catches errors that
would otherwise escape the packager's notice.  Simply waiting a period
of time without hearing complaints is not equivalent to explicit
approval from others.

I have personally experienced several breakages in the past several
months--more than usual.  A few were big enough that simply running 'foo
- --version' should have revealed a problem (i.e.  linking problems).  A
signoff process would have very likely caught these problems.

IMHO, the correct thing to do is remind other developers of the signoff
policy.  (And the above post to arch-dev-general certainly does just
that.)  Encouraging another set of eyes to look at someone's work and
say, "This looks good to me," is a very good thing and does wonders in
terms of quality control.

If getting security fixes pushed out is a concern, then getting the
security related fixes signed off should be prioritized.  (Maybe by
putting in a flag that automatically triggers a mail to arch-dev-public)

Respectfully yours,
- --Kyle Terrien
Version: GnuPG v2


More information about the arch-general mailing list