Hi all,

I'm Fabio Ruhland, a Google Summer of Code 2026 contributor working on DebNet, 
mentored by Arian Ott and Christian Kastner.


DebNet uses UDD to model the archive as a dependency graph and a 
maintainer–package graph, and computes practical metrics (bus factor [1], 
dependency impact, and a fragility score [2]) to surface packages that are 
single points of failure. The aim is to complement WNPP, the MIA team, and 
qa.debian.org<http://qa.debian.org/> by flagging packages that are becoming 
undermaintained. Usually the precursor to orphaning, and far more common under 
maintainer overload, before they actually become orphaned.


It's early, and since I want this to be genuinely useful, I'd value input from 
people who maintain packages day to day. A few specific questions:


  *   What would make a fragility signal actually actionable for you, rather 
than just noise?
  *   For bus factor, does counting distinct uploaders over a recent window 
(with team-maintained packages flagged separately) match how you'd think about 
it?
  *   Any existing tools or prior work I should be building on rather than 
duplicating?


More broadly, I'd welcome the perspective of people who have been doing this 
far longer than I have: failure modes you've seen where a package quietly 
became a single point of failure, quirks in the UDD data worth watching out 
for, or angles on archive resilience I might be missing.


I won't be able to build everything in one GSoC, but I'd like the foundations 
to be shaped by real experience. And I'm happy to collect longer-term ideas on 
the wiki so nothing gets lost.


Project page: https://wiki.debian.org/DebNet


Thanks,

Fabio (Salsa: ruhlando)



[1] Bus factor: how many people would have to step away before a package loses 
active maintenance. Here, the distinct humans who actually uploaded it within a 
recent window (team addresses counted separately).

[2] Fragility: low maintenance combined with high dependency impact. A package 
few people maintain but many others depend on. For example, a library with no 
active uploader for years that hundreds of packages still need to build or run: 
if it breaks, the breakage cascades and nobody is actively watching it.

Reply via email to