Re: To all candidates: which way out of the project ?

[Moray Allan]

On 2013-03-23 05:54, Paul Wise wrote:

There are definitely people in that position (I can think of at least
one), it would be interesting to quantify how many Debian members 
make

no visible contributions, if for no other reason than making their
contributions (if any) visible.


Yes.  But I would suggest that we should aim to build a really good 
contributor-tracking system, then treat as a useful 
side-effect/sanity-check the ability to diff with the list of project 
members and find possibly non-contributing members, rather than focusing 
energy directly on locating them.


--
Moray


--
To UNSUBSCRIBE, email to debian-vote-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/464a15978eefd6d102f0af38fa4f2...@www.morayallan.com

Re: To all candidates: which way out of the project ?

[Moray Allan]

On 2013-03-22 23:23, Moray Allan wrote:

As other replies have said, this seems to be much less of a solved
problem in recent years


Since someone asked: yes, this is an accidental blend from editing 
"seems to be a solved problem" insufficiently towards "seems to be much 
less of a problem".  I'll blame the fact I'd only slept for a couple of 
hours on a plane the previous night.


--
Moray


--
To UNSUBSCRIBE, email to debian-vote-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/315ecf8f3bec4d1246a386a0b9d3c...@www.morayallan.com

Re: [all candidates] Advertising testing and security support

[Gergely Nagy]

Jérémy Bobbio  writes:

> Dear candidates, do you think it would be wise to advertise `testing` as
> a usable distribution to our users given that state of affairs? Given
> that our security support for stable is already not as best as it could
> be, do you think we should encourage volunteers to be more active in
> security support for testing?

First of all, our security team is doing an excellent job, considering
the amount of work required and how few people they are, their response
time and the quality of work they do is very high. Could it be improved?
Yes, of course. With enough manpower at our disposal, we could
pro-actively search for and find security issues! But we're nowhere near
that, nor should we be, I believe.

As for advertising testing: for some uses, we should, yes. But without
security updates managed by the security team, those uses are fairly
limited, and the consequences must be kept in mind. This makes it hard
to make a good case for testing.

If we'd have enough manpower to handle security updates for testing
aswell (either via unstable, or through other channels), that would help
tremendously. Not only our users, but our maintainers would have it
slightly easier too. Therefore, I find it a commendable task to
encourage volunteers to work on security support (be that for stable,
testing or otherwise).

> Do you have ideas on how to attract more volunteers to the dull, hard,
> and sometimes boring tasks of taking care of security issues in
> Debian?

Realizing that the task is neither dull nor boring would be one step. It
is hard quite often, though.

I do have a couple of ideas (shamelessly borrowed from my former boss,
who convinced me to work at the support department instead of
development), but these may present more problems than what it solves,
at least initially.

You see, preparing security releases is a complicated task, one that
requires a good knowledge in a number of areas: packaging, security, a
multitude of languages, upgrade paths, and so on and so forth. It
requires a particularly diverse set of skill. That is also that makes it
so very interesting (even entertaining, in some respects). There aren't
many people who have the diverse knowledge required, and even less who
are willing to sacrifice their time to do work that's mostly invisible.

To attract more people for the task, we first need to recognise the
importance of it, we need to be *proud* of the people who are already
doing it. And then, we can encourage volunteers to help out, and
existing members to mentor them. One of the hardest parts is this, the
mentoring part (due to time constraints and an already high load, just
to name two issues), but perhaps we could persuade former members of the
security team to take on this role?

If one can learn a lot about software and security, when there's someone
else to mentor, that makes it - in my experience - a lot more appealing
to volunteer, than being thrown into high waters, and hoping one can
swim. Having a very, very diverse set of skills can also help one at his
or her day job (it certainly helped me), so being part of the security
team is easily a good way to further advance one's own career.

-- 
|8]


--
To UNSUBSCRIBE, email to debian-vote-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/878v5e9wh1@galadriel.madhouse-project.org

Re: [all candidates] Advertising testing and security support

[Jérémy Bobbio]

Arno Töll:
> On 19.03.2013 23:52, Jérémy Bobbio wrote:
> > Given that our security support for stable is already not as best as
> > it could be, do you think we should encourage volunteers to be more
> > active in security support for testing?
>
> With due to respect, I disagree. From a user's perspective who
> occasionally interacts with the security team, I beg to differ. The
> security team does a great job, and their work is reliable, trustworthy
> and mostly invisible (which is what it should be, nobody wants to deal
> with conflicting/problematic upgrades during a security update).
> 
> Of course, everything could always be improved - for example I'd like to
> have longer stable support cycles - but given the limited and restricted
> manpower, the result is great.
> 
> I find your remaining judgment of the security team rather insulting
> than an opening of a discussion which is by no means constructive.

This was very ill-worded. Please accept my apologies if I have offended
anyone. Feel free to take the banjos out if you need compensation.

The security team is doing an amazing and fabulous job. Huge kudos to
Yves-Alexis, Dann, Florian, Raphael, Giuseppe, Moritz, Martin, Luciano,
Luk, Nico, Stefan, Thijs.

One of the team great achievements is to tirelessly track which issues
are affecting Debian. And according to the tracker, there's close to 100
packages with open issues in stable at the moment:
.
That is what I was referring to.

The Debian archive is amazingly large so that is to be expected.
Security issues are not the sole responsability of the security team:
maintainers sometimes also have a hard time backporting fixes to a two
year old code base.

Given the stable security level could probably be enhanced with some
more brains, I was wondering about the security aspect of the "testing
as rolling" plans.

Again, truly sorry if anyone felt disheartened by my previous message.

-- 
Jérémy Bobbio.''`. 
lu...@debian.org: :Ⓐ  :  # apt-get install anarchism
`. `'` 
  `-   


signature.asc
Description: Digital signature

Re: [all candidates] discussions in -devel

[Gergely Nagy]

Serafeim Zanikolas  writes:

> In the words of Lars [*]:
>
> We're not very good at dealing with situations where a few individuals
> are dominating the discussion by being loud, insistent, and unwilling to 
> budge
> or to give any credence to opposing views. I don't know what to do about 
> that,
> but we clearly need social and possibly technical tools for this.
>
> According to Lars, behind the scenes diplomacy is not sustainable. It seems to
> me that the only way to solve this issue effectively is to make trolling
> harder (requiring more effort) than ending it.

My impression so far, is that trolling isn't all that common. Ignorance
and unwillingness to compromise are much more common (combine it with
all parties showing signs of these, and the high amount of traffic, and
things will blow up very quickly). The problem is, whatever technical
solution we come up with that makes trolling and other misbehaviors
harder, will make normal discussions harder too, and that is not
something I'd like.

> Our usual approach of darwinism (whereby a single hacker's solution gets
> gradually adopted) does not work here because any attempted solution (social,
> technical or both) requires some kind of upfront policy change (and, for
> technical measures, some kind of infra change).
>
> How do you propose that we go about dealing with this issue, keeping in mind
> that it's imposs^Wchallenging to get to consensus about non-technical and
> potentially controversial policy (moderation) changes?

Unlike Lars, I believe in behind the scenes diplomacy, but perhaps that
would need a bit more coordination: a handful of people attempting it
uncoordinated may have undesirable results. At other times, it is simply
impossible to stop a thread from blowing up, no matter how many people
you throw at the task. At these times, it would help if we had a way to
close down threads for a short amount of time (ie, anything that shares
the same subject, or references any message within the thread would be
held for moderation, or simply dropped). A reasonable rule of thumb
seems to be: "If it is more than 8 levels deep, or the thread has more
than two dozen mails within the first 48 hours, it will be going
nowhere."

But that's just an idea, and not a terribly good one, either.

I much prefer one of Lars' suggestion: "Real-life meetings between
participants. Debconf, sprints, FOSDEM, other such
conferences. Unfortunately, this is expensive, and we can't reach
everyone."

Granted, that may not always be an option, but in many cases, I believe
it would work remarkably well. When a thread escalates and goes terribly
wrong, we can approach the involved parties behind the scenes, and
propose a real life meeting to resolve the issue. It's better for them,
better for us, and it needs preparation, so their energy will go into
gathering their thoughts instead of echoing the same things over and
over again to different people in the same thread.

Not everyone needs to be present at these meetings - perhaps there will
be times when the worst offenders won't even be there. But that's no
problem either, as if we get everyone else there, there will be noone to
feed the troll, either.

In short, I support real-life meetings to resolve these kinds of issues
that we usually see escalating, I'd prefer this over (moderation) policy
changes or technical workarounds. But if it comes to that, we should not
be afraid of working around social shortcomings with technical
roadblocks, either - at least temporarily.

-- 
|8]


-- 
To UNSUBSCRIBE, email to debian-vote-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/874ng29v0x@galadriel.madhouse-project.org

Re: [all candidates] lack of women in Debian

[Gergely Nagy]

Lucas Nussbaum  writes:

> On 19/03/13 at 21:43 +0100, Gerfried Fuchs wrote:
>> * Lucas Nussbaum  [2013-03-19 07:44:32 CET]:
>> > But it's also about how we see our project. I would like Debian to be
>> > a very welcoming project, and I hate the fact that it's harder for some
>> > groups to get involved.
>> 
>>  Given that the context of this statement is "lack of women in Debian",
>> why do you believe that it's harder for women to get involved?
>
> Let's split the process of getting involved into several steps:
>
> Step 0: Alice knows nothing about Debian
> Step 1: Alice is "exposed" to Debian
> Step 2: Alice would like to contribute to Debian
> Step 3: Alice starts contributing to Debian
>
> Going from Step 0 to Step 1 is less likely for women, because there are
> fewer women in situations to be "exposed" to Debian (studying CS, IT
> jobs, etc.). And there's not much we can do (as Debian) for that.

I would like to strongly disagree here. Getting involved in, and
contributing to Debian does not require one to be anywhere near CS or
IT. It certainly helps, because we, as a project, are far better
prepared to receive and encourage such contributions, but that's not all
there is to it.

There are many ways to reach out to non-technical people too (including
but not limited to friends, partners, family and various non-technical
events), and we as a project can and should encourage this kind of
outreach too, and not limit ourselves to technical contributors only.

(Also, not being in a position to be naturally exposed to Debian does
not mean that one wouldn't become a technical contributor later on.)

> Going from Step 1 to Step 2 is also less likely for women, because the
> prospect of getting involved in a project with so few women might be a
> bit frightening.

Agreed, but there's a lot we can do here to make it less so.

-- 
|8]


-- 
To UNSUBSCRIBE, email to debian-vote-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87wqsy8euy@galadriel.madhouse-project.org

Re: To all candidates: which way out of the project ?

[Lucas Nussbaum]

On 23/03/13 at 12:46 +0300, Moray Allan wrote:
> On 2013-03-23 05:54, Paul Wise wrote:
> >There are definitely people in that position (I can think of at least
> >one), it would be interesting to quantify how many Debian members
> >make
> >no visible contributions, if for no other reason than making their
> >contributions (if any) visible.
> 
> Yes.  But I would suggest that we should aim to build a really good
> contributor-tracking system

Or improve the existing ones, such as the 'echelon' field in ldap (=
last mailing list post), the mia db, bapase
(http://udd.debian.org/bapase.cgi), etc. let's not reinvent the wheel!

L.


-- 
To UNSUBSCRIBE, email to debian-vote-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130323161613.ga8...@xanadu.blop.info

Re: [all candidates] Advertising testing and security support

[Lucas Nussbaum]

On 19/03/13 at 23:52 +0100, Jérémy Bobbio wrote:
> Hi!
> 
> Lucas wrote in his plateform:
> 
>   For example, we have been providing a fairly good rolling release for
>   almost 13 years with testing, but we totally fail at advertising it as
>   something supported and usable by end users.
> 
> Even if a dedicated team is supposed to care about security in
> testing [1], the dedicated mailing-list [2] has not seen an announcement
> since February 2011.
> 
> Dear candidates, do you think it would be wise to advertise `testing` as
> a usable distribution to our users given that state of affairs? Given
> that our security support for stable is already not as best as it could
> be, do you think we should encourage volunteers to be more active in
> security support for testing? Do you have ideas on how to attract more
> volunteers to the dull, hard, and sometimes boring tasks of taking care
> of security issues in Debian?

First, having security support for testing with the same (high :) )
quality as for stable would be great, of course.

But I don't think that this is a prerequisite for advertising testing as
a rolling release.
- We would need to state clearly how security support for testing happens
  (mostly through unstable, etc.)
- We could discourage the use of 'testing' on multi-user systems or
  Internet servers. it's quite likely that the main use of testing will
  be desktops/laptops anyway.

Note that some successful distros have more restricted/focused security
support:
- (AFAIK) the Ubuntu Security team only issues updates for packages in
  the 'main' component. the 'universe' component is (supposed to?) be
  supported by the community.
- (AFAIK) Linux Mint relies on Ubuntu's security support

Finally, I think that it's a chicken and egg problem, too: if we
advertise testing as a recommended alternative for users, it is more
likely that people will be interested in helping with its security
support.

Lucas


-- 
To UNSUBSCRIBE, email to debian-vote-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130323165401.gb8...@xanadu.blop.info

Re: To all candidates: which way out of the project ?

[Moray Allan]

On 2013-03-23 19:16, Lucas Nussbaum wrote:

On 23/03/13 at 12:46 +0300, Moray Allan wrote:

Yes.  But I would suggest that we should aim to build a really good
contributor-tracking system


Or improve the existing ones, such as the 'echelon' field in ldap (=
last mailing list post), the mia db, bapase
(http://udd.debian.org/bapase.cgi), etc. let's not reinvent the 
wheel!


I did not intend to comment on *how* to build a really good system -- I 
don't think anyone is suggesting to throw away existing work or reinvent 
the wheel.  There are indeed many useful tools for specific aspects of 
contributor tracking already; minechangelogs is another one you didn't 
mention.


But a really good contributor-tracking system would tie together all of 
these aspects, would also know about e.g. people who do translations or 
design artwork, and would be capable of showing e.g. the number of 
people doing a type of task or the distribution of people across 
different activity levels, rather than just taking queries for 
individual people.


--
Moray


--
To UNSUBSCRIBE, email to debian-vote-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/46006bb802a7b3d5728e42aef...@www.morayallan.com