Hi Ian On 2024/06/17 12:56, Ian Jackson wrote:
* We made fairly formal appeals to two sitting DPLs. What we got was, basically, attempts at mediation, or facilitation of discussions. We didn't see that as helpful, since we saw an irreconcilable gap between our position and ftpmaster's.Sean and I were under the impression that the most recent response we got from a sittinug DPL was sent to us after consulting with ftpmaster.
My response was to suggest that you find a way to talk to DSA/ftpmaster, ideally in person, and that you check whether the xz-utils postmortem in MDC Hamburg was happening, because that would be an ideal place to speak to both in person.
I wouldn't necessarily expect that you get the exact resolution that you're looking for, but when you get enough people together in person that understands the infrastructure and the trust chain well, then there should be a good chance that at least an alternate solution could be presented. I know that they specifically said they don't want the service to have it's own upload key, but perhaps there are other ways to implement this without losing the key benefits that tag2upload provides. I'm sure you and Sean have thought a lot about it, but you might have some more leeway from DSA/ftpmaster if they have also taken a shot at it and exhausted all the possibilities.
Personally, I think that tag2upload is a great idea and it has a lot of potential, and I want to see it succeed, but I think a more pragmatic approach might get you there faster than forcing it.
As a project, I think we have some lessons to learn from overriding maintainers from the issues that arose from usr-merge/dpkg, and overriding two teams of people that are both highly skilled and competent at keeping critical infrastructure up for so long, won't sit well with many DDs voting on this either.
As I suggested in my reply to you months ago, I still believe that working with ftpmaster to come up with solutions will be worth while, but I don't think email/irc are the best platforms for hashing out problems.
As an aside, it might be worth while to integrate tag2upload into other services. I wasn't sure if I wanted to go down this rabbit hole in this mail, but Debusine looks like it has a lot of potential, and it could be a great backend for a PPA-like service, which could also have tag2upload integration or could even be *the* way it's implemented. That way tag2uplaod could get wider testing and more by-in from users using that service. It probably doesn't sound very useful to suggest that you integrate tag2upload with a PPA service that's effectively still vapourware, but sometimes you need to have some good long-term strategy in order to get change to happen.
When it comes to tag2upload, I believe it's something that most people would want. At least it doesn't take away from any existing workflow or force people to change their habits right away, so in terms of being able to gain support for it, it has a lot going for it. The cost of overriding DSA/ftpmaster is really high though, and I'm not sure it's worth while doing a GR until all other options have been properly exhausted. Even if there is a GR, I believe a vote for "we all really want this, please find a way forward" would be better than "let's force this to happen right now".
-Jonathan
