[arch-general] [arch-dev-public] signoffs are dead

[Kyle Terrien]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I am replying to arch-general because arch-dev-public is closed to most
users.

On Tue, 28 Jun 2016 08:09:41 -1000
Gaetan Bisson <bisson at archlinux.org> wrote:
> Dear all,
> 
> For a while now packages in [testing] have gotten little to no
> signoffs and I've been moving mine to [core] after a week without
> feedback. I suspect many of you have been doing this too. Here's the
> signoff reports over the last ten days:
> 
> - June 19: 0 signoffs
> - June 20: 6 from me, 4 from anthraxx
> - June 21: 0
> - June 22: 5 from me
> - June 23: 2 from demize
> - June 24: 1 from me
> - June 25: 0
> - June 26: 1 from me
> - June 27: 3 from me, 1 from eworm
> - June 28: 3 from heftig, 2 from arojas
> 
> So I've decided to shorten the wait in [testing] to 48 hours. Many
> updates to [core] packages include security fixes and they have better
> move sooner rather than later. We used to be able to gather enough
> signoffs to move these within a day or two, and that's what I intend
> to do with or without signoffs.
> 
> Any comment, and especially any other idea to fix this situation, is
> welcome.
> 
> Cheers.

First, I am an Arch user (for 3 years now) not an Arch dev, and I
realize I have no right to tell anyone how to run the distribution.
What follows is just my personal recommendation based on working
software QA professionally.

With that said, I think eliminating signoffs is a bad idea.

Signoffs ensure some form of quality control.  A signoff is an explicit
approval from someone that the package is satisfactory to his/her
standards.  A potential signee has a completely different perspective
than the packager and a different way of verifying that the packager's
package is correct.  This sort of approval process catches errors that
would otherwise escape the packager's notice.  Simply waiting a period
of time without hearing complaints is not equivalent to explicit
approval from others.

I have personally experienced several breakages in the past several
months--more than usual.  A few were big enough that simply running 'foo
- --version' should have revealed a problem (i.e.  linking problems).  A
signoff process would have very likely caught these problems.

IMHO, the correct thing to do is remind other developers of the signoff
policy.  (And the above post to arch-dev-general certainly does just
that.)  Encouraging another set of eyes to look at someone's work and
say, "This looks good to me," is a very good thing and does wonders in
terms of quality control.

If getting security fixes pushed out is a concern, then getting the
security related fixes signed off should be prioritized.  (Maybe by
putting in a flag that automatically triggers a mail to arch-dev-public)

Respectfully yours,
- --Kyle Terrien
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXczI6AAoJEN5rMzXPJBsQASIP+gLGiQbQVrg/mNVDacXaHuEK
8H3QQz9amQMwgQXq8Mh17HWfbiQMQMWD48O9CBP+fUyWLVPOxs6g4H/aXFiIm4G+
Qw6/vWfgQaGjY60nLJ7D8/NVq9PwXSPEYF1cA8/6D7JtuotwXxCFENiNR9Qki7Un
3QCXRI6Z/KKGcpBvpIsa++qDeZuXnSTy00ZJO5EFYxTi+AUBEyffHX/bS2IUCOkC
tUWxtoVIix4buD32/tCnPz19wku9MylddYBzNuB1qCD1NG6XLsxmn8WiHGeoiy+E
uFwjxPgDx0MaldNNJzubC2LQD/osdTDTTPwDf2M0c802FI+pHxlj/Dk9imz86NFA
9xPH8WJ1cfiVTue0BkRJXlR2eI0VIPSqAbpcDCfzCwYbrFuFoqwszpET03PtF/Y4
5tfZHLODiFpDc9Whu5o4ejzf4p/eMUN3xmwUp+8cguFcSmjBSPvYvRbgI8puiPRm
Al5xYxnrmghEf9R5fIRUWoHlsGNNMrmd1MKquJ6i1+Dkf0pmUK4t58G3crWjFb7+
laMUKYRmH+LwYhxvET562E8EM8QYYtow+PietZssC7ZhjGa1sG70FahQWCijmIj6
TdpfCiNgmQ8AF4C4JXhzZvONtdYzUeNSgiv/FkA9T4n9Xje/ZCUhyM+inaqmA/5A
ComaWc2SjeM8gTBfdPQa
=E42/
-----END PGP SIGNATURE-----