From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from sa-prd-fep-044.btinternet.com (mailomta18-sa.btinternet.com [213.120.69.24]) by sourceware.org (Postfix) with ESMTPS id BBB2B3858428 for ; Thu, 1 Dec 2022 19:41:55 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org BBB2B3858428 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=dronecode.org.uk Authentication-Results: sourceware.org; spf=none smtp.mailfrom=dronecode.org.uk Received: from sa-prd-rgout-005.btmx-prd.synchronoss.net ([10.2.38.8]) by sa-prd-fep-044.btinternet.com with ESMTP id <20221201194154.MKFU23588.sa-prd-fep-044.btinternet.com@sa-prd-rgout-005.btmx-prd.synchronoss.net>; Thu, 1 Dec 2022 19:41:54 +0000 Authentication-Results: btinternet.com; auth=pass (PLAIN) smtp.auth=jonturney@btinternet.com; bimi=skipped X-SNCR-Rigid: 6139452E460E02D0 X-Originating-IP: [81.153.98.246] X-OWM-Source-IP: 81.153.98.246 (GB) X-OWM-Env-Sender: jonturney@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedvhedrtdehgdduvdelucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhepkfffgggfuffvfhfhjggtgfesthejredttdefjeenucfhrhhomheplfhonhcuvfhurhhnvgihuceojhhonhdrthhurhhnvgihsegurhhonhgvtghouggvrdhorhhgrdhukheqnecuggftrfgrthhtvghrnhepffekiefgudejheetudeigfejledtleegleetkeduteeftdfffefhueefgfeutedtnecukfhppeekuddrudehfedrleekrddvgeeinecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplgduledvrdduieekrddurddutdeingdpihhnvghtpeekuddrudehfedrleekrddvgeeipdhmrghilhhfrhhomhepjhhonhdrthhurhhnvgihsegurhhonhgvtghouggvrdhorhhgrdhukhdpnhgspghrtghpthhtohepvddprhgtphhtthhopegtrhgusegrtghmrdhorhhgpdhrtghpthhtoheptgihghifihhnqdgrphhpshestgihghifihhnrdgtohhm X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean Received: from [192.168.1.106] (81.153.98.246) by sa-prd-rgout-005.btmx-prd.synchronoss.net (5.8.716.04) (authenticated as jonturney@btinternet.com) id 6139452E460E02D0; Thu, 1 Dec 2022 19:41:54 +0000 Message-ID: <355f05b2-991c-fff6-fa5e-7d3eba7b16d9@dronecode.org.uk> Date: Thu, 1 Dec 2022 19:41:54 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0 Subject: Re: How does a package become orphaned? (was Re: Attn maintainer: python-paramiko) Content-Language: en-GB To: Chad Dougherty , "cygwin-apps@cygwin.com" References: <3fdca14d-95fa-0398-46a9-6d5291ceae96@gmail.com> <0282d084-b2b2-132f-1e82-4159a4d1de05@gmail.com> <36a5d2b5-41f7-52a4-c95f-d9f2e4f12e96@dronecode.org.uk> From: Jon Turney In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1192.0 required=5.0 tests=BAYES_00,FORGED_SPF_HELO,KAM_DMARC_STATUS,KAM_LAZY_DOMAIN_SECURITY,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 04/11/2022 13:05, Chad Dougherty wrote: > On 2022-11-04 08:34, Jon Turney wrote: >> The second is not so clear: A package is orphaned if it's maintainer >> is not responsive to queries as to if they still want to be the >> maintainer of the package. >> >> It's undefined how many times we should ping, or how long we should >> wait for a response, but I think that the ~10 months that's elapsed >> here is more than enough! > > If the prospective adopter is also proposing an update that addresses > security vulnerabilities in the old package, I suggest that that, and > the severity and impact of those vulnerabilities be factored into the > timeout decision. Well, maybe. I think a common way for distros to handle this is to have some subset of maintainers who are allowed to make NMUs for these "important" updates. The problem is we don't really have the concept of an NMU currently, although this is (again) due to accidents of history, rather than by design. The current upload policy is: - Only the maintainer for a package maintainer is allowed to upload that package. - If a package is orphaned (has no maintainer), there are some "trusted" maintainers who are allowed to upload it. I'm kind of inclined to relax that a bit, although I'm not sure what to.