[arch-general] [arch-dev-public] signoffs are dead

Wed Jun 29 08:23:24 UTC 2016

Hey there,
At some point I started to receive those "signoff" message on one of the list
I'm subscribed to. I searched on the wiki what that meant, but with no result. I
see that on https://wiki.archlinux.org/index.php/Official_repositories you
mention in one sentence what it is, but sorry it's not clear what I can do about
that. I also spend maybe half an hour trying to find that in my profile, with no
result either. I concluded that maybe it was something for only trusted users,
and it was just not my business.

Maybe the first step before considering the signoff "dead" would be to educate
people on how to do that? It might be obvious to the Trusted users on how
everything works. As far as I am concerned, I have no idea of the packaging
process apart from AUR. All the technical parts are now natural to me, but all
the "human" process is completely obscure.

Kind regards,

(Tue, Jun 28, 2016 at 07:28:10PM -0700) Kyle Terrien via arch-general :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> I am replying to arch-general because arch-dev-public is closed to most
> users.
> 
> On Tue, 28 Jun 2016 08:09:41 -1000
> Gaetan Bisson <bisson at archlinux.org> wrote:
> > Dear all,
> > 
> > For a while now packages in [testing] have gotten little to no
> > signoffs and I've been moving mine to [core] after a week without
> > feedback. I suspect many of you have been doing this too. Here's the
> > signoff reports over the last ten days:
> > 
> > - June 19: 0 signoffs
> > - June 20: 6 from me, 4 from anthraxx
> > - June 21: 0
> > - June 22: 5 from me
> > - June 23: 2 from demize
> > - June 24: 1 from me
> > - June 25: 0
> > - June 26: 1 from me
> > - June 27: 3 from me, 1 from eworm
> > - June 28: 3 from heftig, 2 from arojas
> > 
> > So I've decided to shorten the wait in [testing] to 48 hours. Many
> > updates to [core] packages include security fixes and they have better
> > move sooner rather than later. We used to be able to gather enough
> > signoffs to move these within a day or two, and that's what I intend
> > to do with or without signoffs.
> > 
> > Any comment, and especially any other idea to fix this situation, is
> > welcome.
> > 
> > Cheers.
> 
> First, I am an Arch user (for 3 years now) not an Arch dev, and I
> realize I have no right to tell anyone how to run the distribution.
> What follows is just my personal recommendation based on working
> software QA professionally.
> 
> With that said, I think eliminating signoffs is a bad idea.
> 
> Signoffs ensure some form of quality control.  A signoff is an explicit
> approval from someone that the package is satisfactory to his/her
> standards.  A potential signee has a completely different perspective
> than the packager and a different way of verifying that the packager's
> package is correct.  This sort of approval process catches errors that
> would otherwise escape the packager's notice.  Simply waiting a period
> of time without hearing complaints is not equivalent to explicit
> approval from others.
> 
> I have personally experienced several breakages in the past several
> months--more than usual.  A few were big enough that simply running 'foo
> - --version' should have revealed a problem (i.e.  linking problems).  A
> signoff process would have very likely caught these problems.
> 
> IMHO, the correct thing to do is remind other developers of the signoff
> policy.  (And the above post to arch-dev-general certainly does just
> that.)  Encouraging another set of eyes to look at someone's work and
> say, "This looks good to me," is a very good thing and does wonders in
> terms of quality control.
> 
> If getting security fixes pushed out is a concern, then getting the
> security related fixes signed off should be prioritized.  (Maybe by
> putting in a flag that automatically triggers a mail to arch-dev-public)
> 
> Respectfully yours,
> - --Kyle Terrien
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQIcBAEBCAAGBQJXczI6AAoJEN5rMzXPJBsQASIP+gLGiQbQVrg/mNVDacXaHuEK
> 8H3QQz9amQMwgQXq8Mh17HWfbiQMQMWD48O9CBP+fUyWLVPOxs6g4H/aXFiIm4G+
> Qw6/vWfgQaGjY60nLJ7D8/NVq9PwXSPEYF1cA8/6D7JtuotwXxCFENiNR9Qki7Un
> 3QCXRI6Z/KKGcpBvpIsa++qDeZuXnSTy00ZJO5EFYxTi+AUBEyffHX/bS2IUCOkC
> tUWxtoVIix4buD32/tCnPz19wku9MylddYBzNuB1qCD1NG6XLsxmn8WiHGeoiy+E
> uFwjxPgDx0MaldNNJzubC2LQD/osdTDTTPwDf2M0c802FI+pHxlj/Dk9imz86NFA
> 9xPH8WJ1cfiVTue0BkRJXlR2eI0VIPSqAbpcDCfzCwYbrFuFoqwszpET03PtF/Y4
> 5tfZHLODiFpDc9Whu5o4ejzf4p/eMUN3xmwUp+8cguFcSmjBSPvYvRbgI8puiPRm
> Al5xYxnrmghEf9R5fIRUWoHlsGNNMrmd1MKquJ6i1+Dkf0pmUK4t58G3crWjFb7+
> laMUKYRmH+LwYhxvET562E8EM8QYYtow+PietZssC7ZhjGa1sG70FahQWCijmIj6
> TdpfCiNgmQ8AF4C4JXhzZvONtdYzUeNSgiv/FkA9T4n9Xje/ZCUhyM+inaqmA/5A
> ComaWc2SjeM8gTBfdPQa
> =E42/
> -----END PGP SIGNATURE-----

-- 
Ismael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: Digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20160629/bfd52f82/attachment.asc>