[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-devel-list
Subject:    Re: Fedora pagure confusion wrt EPEL
From:       Michael Schwendt <mschwendt () gmail ! com>
Date:       2020-01-31 21:58:16
Message-ID: CABs8w0yTuiqRrGTOKChw0E8+Fpf3NuxWZzP6Rq5OTExRpejrTA () mail ! gmail ! com
[Download RAW message or body]

On Fri, 31 Jan 2020 at 20:45, Robbie Harwood <rharwood@redhat.com> wrote:
> 
> You received a total of between 4 and 8 emails depending on how bugzilla
> batched them.  My apologies for the extra 3-7.

More than eight because of needinfo notifications, "assigned" and "Cc"
changes and tracker ticket changes.

> > > Andreas Bierfert (awjb), who was recently declared non-responsive.
> > 
> > That could have been mentioned.  Is that when some process transferred
> > EPEL packages to me without prior asking?
> 
> I did mention it.  My words were that "the maintainer is no longer
> active in Fedora, and you're the default assignee for the package".

Whenever the non-responsive maintainer procedure was complete, what
happened next? The unmaintained EPEL packages ought to have been
orphaned or retired properly, and existing bugzilla components
reassigned to orphan owner. All within EPEL and without forcefully
assigning five years old tickets to a Fedora packager.

> Your response, by the way, was: "Would you mind becoming familiar with
> the Fedora Project a bit?".

EPEL and the Fedora package collection are two separate projects with
different maintainers. It's not that the Fedora packages must be
anything like "upstream" for the EPEL packages.

Once more, I am not the EPEL maintainer of that package. And I've
pointed you at the EPEL FAQ:
https://fedoraproject.org/wiki/EPEL/FAQ#I_maintain_a_package_in_Fedora._Do_I_have_to_maintain_it_for_EPEL_now.2C_too.3F


When you learned that the EPEL maintainer of that package is no longer
available, what made you think that you could simply assign the
tickets to the Fedora maintainer?

> > > My view is that there's an open security bug, so it's reasonable to want
> > > to know whether it's going to be fixed.
> > 
> > You consider it reasonable to look into ancient security issues after
> > almost five years?  The related tracking bugs did serve no purpose for
> > almost five years?
> 
> Yes?  This shouldn't come as a surprise to you.  The whole process of
> security bugs, CVEs, and the like exists to get them *fixed*.  If they
> are in fact not, you might not care about EPEL, but EPEL doesn't want to
> ship vulnerable software any more than you do.

What do you refuse to understand? I am _not_ the EPEL maintainer of
this package. I don't do EPEL packaging. What maintenance procedures
are in place for EPEL to handle cases like that without forcefully
assigning tickets and/or packages to a Fedora package maintainer?

> You are repeatedly ignoring that I'm not concerned about the Fedora
> package.  Please stop.

You've assigned EPEL tickets to a Fedora packager. Can't be so hard to
understand that. I've told you about the difference in private email.

> You are subject mater expert for the project.
> No one is better suited than you to answer the question of whether a
> given version is affected or not.

Have these CVEs been reported about the Fedora package, too, five
years ago? Then look up the tracker tickets and the Fedora specific
tickets, and the CVE numbers will appear in the package %changelog
because of packaging guidelines. Also, have the security issues been
reported to upstream or only EPEL?

> > As pointed out, I don't keep an eye on EPEL. I'm completely surprised
> > that all of a sudden I am expected to look into EPEL packaging
> > matters. I still don't understand why I have become the assignee of
> > EPEL tickets and possibly EPEL packages, too, when I never asked for
> > that.
> 
> I mentioned that in my emails, and people have repeatedly explained it
> to you here too.

Not yet. I've never signed up as the maintainer for EPEL packages.

> I *also* mentioned in my email that if no one is
> responsible for them to your knowledge, the proper thing to do was to
> remove the branches, and provided you information on how to do so.

Why me? Why did the EPEL package collection contain unmaintained
packages? Is no cleanup done for EPEL to properly orphan/retire such
packages? Why would you ask a Fedora packager to do it rather than
somebody from the EPEL project? Nothing in bugzilla gives a hint that
I would be able to do it for EPEL. It was just out of coincidence that
I could touch the EPEL packages due to Provenpackager access. Again, I
am not an EPEL packager!

> This isn't a silo.  We're supposed to be working together, and helping
> each other.  Your responses of refusing to even consider answering
> questions about EPEL, replete condescension, and refusal to actually
> read what I (and others) have been saying continues to make this
> difficult.  Please stop.

This incident turns into a growingly unpleasant experience for me.
I've asked you to clean up the mess in bugzilla and reassign the EPEL
packages properly, because I am not responsible for those packages.
You've not done that. I've had to do it myself. Team work doesn't mean
that you assign tickets to me, which have been neglected/ignored for
almost five years. This isn't a hot-potato-dropping contest.
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org



[prev in list] [next in list] [prev in thread] [next in thread]