From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id E2F141381F3 for ; Fri, 21 Dec 2012 06:10:27 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BCA4C21C0E1; Fri, 21 Dec 2012 06:10:17 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7B72F21C0C4 for ; Fri, 21 Dec 2012 06:09:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 3228033DB2A for ; Fri, 21 Dec 2012 06:09:40 +0000 (UTC) X-Virus-Scanned: by amavisd-new using ClamAV at gentoo.org X-Spam-Flag: NO X-Spam-Score: -1.369 X-Spam-Level: X-Spam-Status: No, score=-1.369 tagged_above=-999 required=5.5 tests=[AWL=-1.357, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from smtp.gentoo.org ([IPv6:::ffff:127.0.0.1]) by localhost (smtp.gentoo.org [IPv6:::ffff:127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kUtofjxOd40k for ; Fri, 21 Dec 2012 06:09:33 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 82EBD33DAF8 for ; Fri, 21 Dec 2012 06:09:31 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1Tlvnh-0006l7-6D for gentoo-dev@gentoo.org; Fri, 21 Dec 2012 07:09:41 +0100 Received: from ip68-231-22-224.ph.ph.cox.net ([68.231.22.224]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 21 Dec 2012 07:09:41 +0100 Received: from 1i5t5.duncan by ip68-231-22-224.ph.ph.cox.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 21 Dec 2012 07:09:41 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-dev@lists.gentoo.org From: Duncan <1i5t5.duncan@cox.net> Subject: [gentoo-dev] Re: Time based retirements Date: Fri, 21 Dec 2012 06:09:16 +0000 (UTC) Message-ID: References: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: ip68-231-22-224.ph.ph.cox.net User-Agent: Pan/0.140 (Chocolate Salty Balls; GIT 04c43ec /usr/src/portage/src/egit-src/pan2) X-Archives-Salt: 1f87f5d0-3d88-433d-9f62-0c7fdbe1ebd6 X-Archives-Hash: eea36a8a7a98b67816cbc38435532baf Rich Freeman posted on Thu, 20 Dec 2012 22:33:55 -0500 as excerpted: > On Thu, Dec 20, 2012 at 10:21 PM, Doug Goldstein > wrote: >> I could MAYBE understand it if they're consuming some valuable resource >> that we need to free up by retiring them. But instead they get a >> nasty-gram about their impending retirement and decide if that's how >> they are to be treated that they can be retired. > > Could anybody post the text of one of these "nasty grams?" > > I can understand the sense in just checking in to make sure a developer > still is interested in Gentoo and wants to retain cvs access. However, > I think the bar for keeping access should be kept low - they shouldn't > be forced to go find some trivial change to make just to get their name > in the logs. > > Sure, sometimes real life gets busy, but if a dev still runs Gentoo and > has interest they're fairly likely to return when life settles down. Obviously I can't post the text of one of these "nasty grams", but I was around when the idea was first discussed and then implemented, by undertakers and infra, with the blessing of either council or whatever it was that came before (I was young in gentoo back then and didn't have a clear understanding of how it all worked, but when I started, drobbins was still around, but in the process of setting up the foundation and etc so he could leave gentoo in good shape when he did retire, and IIRC/ AFAIK, he had turned things over to some sort of interrim executive committee... and I don't recall whether the events here predated what we call council today, or not). You're essentially correct, Rich. IIRC (and all this based on my possibly inaccurate understanding), at least one of the initial triggers was infra's concern, I believe after some other distro had a headline breakin when an inactive dev had their system penetrated and their credentials stolen, that the at-the-time-something like 500+ devs on the rolls, with something under 300 having any CVS or list activity at all within the last six months or some such (so about half were even minimally "active", this was of course before overlays became in any way widespread or more than personal overlays, tho some devs did make theirs publicly available), wasn't healthy, and was taking too much risk, due to the number of still active but potentially abandoned credentials out there, possibly free for the taking, with the credentialed no longer active, so they'd not even notice the activity in their name, that they hadn't done! The other primary concern was QA related, all those effectively abandoned packages could now be put up for adoption by new maintainers or for maintainer-needed or treecleaning, as appropriate based on open bug count, etc. As it was originally setup, the idea was that anybody without an away file explaining the situation, that hadn't had sufficient activity (CVS or list, I believe two commits or posts was to be considered sufficiently active) for at least (I believe) 90 days, would get an inquiry note from undertakers. That level of the process was supposed to be mostly scripted, a script was to be run periodically that would check for away files, cvs commits, and list posts, and would generate a list of inactive devs and the notices automatically, altho I THINK actually SENDING the notices might have required undertaker action, in which case the human doing that was supposed to review them for sanity. The idea was *NOT* that it would be a "nastygram", simply a note of concern, asking what was going on and if the dev was still interested in gentoo, or if they wanted to retire. Again, the primary interest, as best I know, was security. All those potentially unsupervised access credentials laying around for the taking, should someone get access to the inactive dev's computers, etc. If they were still interested, at the first level (which was IIRC 90 days), all they had to do was reply, saying so. *ONLY*, and this was a point that everyone took pains to ensure was specifically made, if people didn't reply (or replied that they were no longer interested in gentoo), were they ultimately retired. ** It's also worth pointing out that a simple away file listing something reasonable (that wasn't itself expired by this much time, but that bit wasn't automated, the automated script simply checked for an away file, period) would immediately shut down the process. I believe there was a second level that actually triggered the beginning of the undertaker process, at the 180 day (probably plus 30 days to give a last chance for a reply, which would have made it 210 days total, but I'm not positive on that). By this point, the thinking went, a dev really SHOULD have had at LEAST the time to setup an away file, or simply reply with an explanation so they could be entered in an ignore list, if they weren't already active once again. But, the argument went, anybody that couldn't post AT LEAST two messages or do two commits in six months (I believe the magic number was two)... arguably was likely not following gentoo closely enough any more to be sure their commits, if they DID make any, weren't more of a danger to the now moved on tree than a help, in any case. AFAIK the policy was a bit controversial even then, but nobody could really refute the argument, particularly given the other distros breakins in the headlines due to the exploitation of still-active credentials for year-inactive devs. And IIRC it DID allow gentoo to bring its headcount down to something a bit more in line with the active dev count. Plus, with the retirement of those devs, the packages they maintained that had been effectively abandoned, were now actually announced for adoption and if there were no takers, they were marked maintainer-needed and/or tree-cleaned as appropriate. That in turn helped clean up the tree rather noticeably in the initial six to eight months after the policy went into effect, as well. Meanwhile, it didn't hurt activity measurably at all. Because if people WERE still interested, they could easily show it, by simply replying and/ or setting an appropriate away, or by taking the encouragement to up their activity level just a bit. But, as I said, that was well before overlays.gentoo.org and layman. Even if the original policy is still considered sound in general, it should arguably be updated (along with the scripts that do the checks) to include at least the main project overlays. OTOH, an argument could equally be made that those aren't actual contributions to THE GENTOO TREE, and that in many/most cases, gentoo developer credentials aren't actually necessary for the main project overlays, in any case, so if that's where a dev's activity is, and they can't make at least the minimum main tree commits OR list posts, then the original argument still applies. So the overlays policy could be debated either way, but it DOES need to be discussed, and the general inactivity retirement policy should be updated to reflect the actual decision, whatever it may be. And... perhaps that policy in general needs a reexamination. Regardless, it's possible that the "nastygrams" aren't worded particularly well, and that they could be worded better, even if the policy is retained. However, that's hard to say, without a hard example of such a "nastygram" posted. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman