Emails are actually a barrier against collaboration, and actively
hinder it by preventing new people from joining in. Please understand
that, outside of the demographic group of people who started using
computers in the 70s and 80s, the vast majority of opinions on the
topic of email as a collaborative tool range from "barely tolerated"
to "deeply hated". Emails sucks, it's horrible and outdated stuff
based on horrible and outdated procolos and ideas, and today it is by
and large a system to deliver spam, phishing and malware, with
occasional barely useful things like confirming registration on a new
website or resetting a lost password. The vast majority of people who
are forced to use emails do so for work via a
work-mediated/administered interface that tries to make it somewhat
tolerable, like Outlook or Gmail. By and large people born this side
of the millennium look at people running their own email workflows as
you would look at someone programming with punchcards - an interesting
curiosity if found in a museum re-enactment or a history book
photograph, and a strong reason to get the heck out of there
otherwise. And outside of the tech bubble it's even worse. Some
projects like the kernel can afford to let the curmudgeons continue to
dictate its use because it's a de-facto monopoly and if one wants to
get things merged in Linux there is no alternative, and even then
there are continuous grumblings and attempts by the IT infra managers
to build bridges with the 21st century with custom and bespoke
kernel-specific kludges, to the point where some subtree maintainers
have just gone "fuck this" and set up their own Gitlab repos for their
own subtrees. We don't have that luxury: there are plenty of
alternatives to Debian that work just as well for the same use cases.

The number of people involved in programming, software engineering, IT
and any other related field has absolutely exploded since the 90s. The
number of Debian project members has remained pretty much flat at
~1000 people, and we just about manage to backfill retirements/MIAs.
To pick a random example, a less well known, less used, less popular
distribution like Nixos has 7000+ contributors listed on Github. It
would be wise to stop and reflect on why this is the case every now
and then. The passage of time and demographics are cruel and
merciless.

And the fact that, two decades or so after it became standard practice
in the industry, there is _still_ resistance against having CI runs
_before_ pushing things out simply boggles my mind. This is a no
brainer: run a CI before uploading, even a very basic one is just
fine, better than nothing. It's 2024, "but but but the Gitlab UI
doesn't display nicely on my 80x24 green phosphor monochrome monitor"
just doesn't cut it anymore, sorry.

Thanks for your reply, I know about there and is useful for found vcs
not working but vcs working/reachable but no longer used, in favor of
something else they are not identifiable.

The system is only able to notify partially for those not updated but it
is not possible to identify if you are working on another repository it
is not identifiable but it will be only if the vcs field will be
manually changed, so it is up to the maintainer to change it, in
addition there is a slight problem that it changes only with a new
upload, if a lot of time were to pass and a lot of work was done during
it would not be possible to notice immediately. In some cases you could
move the repository or notify the move inside but unfortunately in the
case of repositories on which you do not have permissions (for example
in abandoned packages and someone is about to adopt or recover them).
They seem quite rare but unfortunately they happen. Even if it was
recommended to keep them updated and if it changed update them
immediately doing a new upload just for that doesn't seem like the best
to me, could it be useful to have another way, or is there already one?
anyway this is just a minor thing and even if it were to improve it
would have little influence compared to what I suppose is what has the
most influence
contact field don't exist now right? even if the contact field maybe
doesn't give you an idea, maybe something like "contributing" that links
to the bugtracker, to the repository MR/PR or a wiki page or site with
any details (especially in case of a group)

how to do it on a technical level, inside debian/control or in another
way if it was better I don't think it would be a problem, to not disturb
the maintainers too much if you add something you can only put it
recommended and not mandatory.

maybe I'm not good at explaining myself, I think the problem is that if
a contributor, maybe even new or who wants to make even occasional
contributions on specific packages is not able to find in a simple and
fast way about the package on which he wants to contribute as he should
(or is better to do), in some cases you can understand in short time by
looking a bit at the bugtracker and the vcs while, looking for any wiki
pages if he is part of a team but in many cases it is not simple/fast to
understand how he should contribute for that package in order to get the
best result. using patches on bugtracker or vcs (like salsa) is just one
part, then there could be more

you could say to force everyone to use the same system, in theory it
would solve the problem, but in practice I find it difficult and perhaps
more harmful. I try to summarize: the contributors are people and not
machines, moreover many do it as a passion in a little free time and not
as if it were a job.
I think it is part of the main problem that is being discussed, not only
should we try to increase collaboration but I think it is useful, or
perhaps even more relevant, analyze carefully what the ways can help to
increase the contributions.

Increasing collaboration may indeed lead to improvement but increasing
contributions and contributors could in practice lead to even greater
overall results.

creating a single recommended method or collaborative forced more bring
could bring more contributions in different but there is also the risk
that they decrease in parte for unfavorable or struggling contributors
with any new obligations (this is why I think it is better to suggest or
recommend rather than force in some delicate parts such as those being
discussed here)

I would say to also think in terms of number of contributors and number
of contributions.

as for new contributors it is important to find the information needed
to learn and especially for those who want to try even just with
something small and targeted to succeed, the time spent is also relevant.

both general information about the packaging, and specifics of some less
common parts, and specifics regarding the development of the individual
packages (and the eventual team)

I think finding information quickly and easily is quite important, being
able to make the first contributions quickly enough and without
technical obstacles (from errors, temporary unattainability, frequent
minor slowdowns and occasional major ones) I think has a great influence
on the possible arrival of new contributors or even just occasional
contributions on single packages and I think more than the method used

for example if I was a new contributor or occasional contributor and I
tried to contribute and I found myself having problems on the wiki,
salsa or even packages.debian.org (as happened a few days ago) I would
90% give up

while the possible improvement of the collaboration method proposed here
I suppose could only influence between 10-30% more possible
contributions, but focusing all or mainly on salsa without having less
problems and slowdowns on it I think would increase the risk more rather
than any patches on the bugtracker via email which has little effect on
the fact even if it takes minutes to process the emails.

To sum up, I suppose that such things entail a high risk of losing
possible new contributors and/or contributions (even occasional ones), a
medium risk for occasional contributions from those who have already
contributed previously and a risk also of decreasing contributions from
those who contribute normally.

if you want even just a practical piece of data on some cases in which
the slowness, unattainability and problems of salsa, salsa-ci, wiki and
in some cases other parts have influenced my contributions:

there have been a few dozen times when I had some time and desire to
contribute but due to problems with salsa I gave up as soon as I started
for that day, others (also dozens) when I had started but then within a
maximum of half an hour or an hour with problems I stopped (there is
already work that stresses me, I don't want to try to contribute on open
source projects, in this case Debian is the same)

there have been cases in which I continued and did it even if it took
more time, with the same amount of time I could have done more without
any problems, but I don't know how to quantify it

there have also been cases where I wanted to make occasional
contributions to help packages that I use but do not maintain because I
have seen them with RC bugs, not updated for a long time or some rare
case for other problems but I have been discouraged by the difficulty
and the time required (even though many were small things). in these
cases you might think that the main problem was the difficulty of
collaboration of that package, to a large extent yes but less than you
might think, having all the projects on salsa and preferably in a team
would have helped in several of these cases but not many (right now I do
not have enough memories to give a possible quantity)

another thing that I think is a perhaps underestimated obstacle for new
contributors, and contributions. DD that help those trying to contribute
on mentors, possibly also DM to give advice, information, start
reviewing, at least someone I saw recently tried to give some visibility
to this problem here. you could advise new contributors about git, salsa
contribution methods, direct them to a team, if the package they want to
add could be in a team (these things for example are related to what you
would like to do in DEP-18). but then much more useful in practice is if
contributors find help, answers and if they manage to make good
contributions get accepted (preferably in a not too long time).

getting back to salsa here's a tip that I think would be a great help in
understanding how to proceed with DEP-18: make quick polls open to all
DDs, DMs and possibly other occasional contributors (mostly multiple
choice). to be able to know how good salsa is considered, how useful
they consider its use, what the main problems are (here I recommend
something specific at least to know how much they impact performance and
service issues in practice)

another practical thing prerequisite of DEP-18, it talks about a massive
use of salsa-ci, but are there resources to make it possible, and that
it works well? some possible limitations seem to be explained here
already:
https://salsa.debian.org/dep-team/deps/-/merge_requests/8#note_511732
but even if it became only recommended, as I also think it is very
useful for most packages (It helped me a lot to avoid some mistake and
improve the quality of the packages in less time, at least when it works
properly and in a fairly short time), it would have a significant weight
on the hardware level. furthermore, excessively long times due only or
almost only to overloads or failures not due to the package would weigh
negatively on the maintainers and if it were forced it would be a
negative weight I think greater than forcing the use of salsa

another thing i wonder are there any plans for improvement, someone know
what is needed? This is for both salsa-ci and salsa and wiki. would you
say if there is a need and how to contribute? I can't find anything
specific and the generic page on how to contribute
(https://www.debian.org/donations) seems a bit vague and lacking in
information, or I'm wrong?
this is complicated to explain, I'm not good at explaining nor in english^^'

staying on the subject of DEP-18 I think it could be relevant on stress
based on if/how it will be done and applied and what I wanted to bring
attention to is not to consider only the possible benefits on the
quality of the packages that it could bring but also the cost that it
could have on the people who contribute and try to be balanced

it is unfortunately common to think of profit at the expense of people,
in the case of Debian it would not be for profit but the impact on
contributions can be significant.

the ideal thing would be that it increases the quality and also makes it
more efficient and less stressful to contribute but I fear that this is
utopian and it is much more likely that there will be fewer results than
hoped for and a higher cost (on the people who contribute)

Hi,

On Fri, 2 Aug 2024 at 16:27, Johannes Schauer Marin Rodrigues
I have a 4-year old Dell XPS 13 (that came with Ubuntu preinstalled
and has perfect Linux support, great laptop by the way).
I got 9.25.

Some of the GitLab slowness is due to the server side, and some due to
JavaScript. I prefer to use mild terms "a bit sluggish" out of empathy
to the people who maintain Salsa, as it is probably not fun for them
to read too vocal complaints after the incredible amount of work they
have put in to get us this far. I am very grateful for their work and
with the language in the bug report I try to be constructive on what
things to prioritize next.

...
Thanks for pointing out the typo. I meant 'not a permanent reason'. I
typo now/not frequently for some odd reason and since both words are
in the dictionary, my spell checker does not flag it.
This I think summarizes well the opinion of most people I have spoken
with. GitLab is not perfect, but it was chosen and we have been using
it for 5+ years mostly successfully. Most packages are there and we
should state that it is the recommended option. Currently the second
most popular option is to use GitHub, or not use any vcs at all.

A lot of this thread has gone into people expressing their dislike for
Salsa. Most people still use Salsa - I guess the silent mass isn't
chiming in in this thread that much now. Some people probably have
very optimized email workflows, and nobody can argue against the
statement that a pure email workflow for sure is simple, and has its
elegance. But it also has shortcomings such as no lack of
metadata/status, no built-in way to run CI and share the code+logs+CI
results etc.

Following the principles 1 (use git) and 2 (use Salsa) allows for the
next principles 3, 4 and 5 to take place. I would be curious to hear
more views about them.

DEP-18 summary (https://salsa.debian.org/dep-team/deps/-/merge_requests/8):
1. Have package source code in version control, using git
2. Host package source on Debian's code forge Salsa
3. Run Salsa CI at least once before every upload to ensure minimal
level of quality
4. Allow Merge Requests to be submitted
5. Allow changes to be reviewed before uploads to Debian

My plan is to summarize the discussion and update the proposal in the
coming days, incorporating as many views as possible. I will also in
the next update include additional relevant context info such as
tag2upload, glab and examples of how to easily work with both Debian
bug tracker and MRs in parallel.

Please share your views, and also +1 or -1 the proposal on Salsa so we
can incorporate that too in measuring the support of this.

Remember that DEPs are soft rules - unlike General Resolutions (GRs) -
and maintainers who have specific reasons to not want to use git or
Salsa will not be forced to do so.

It's similar but different: I'm talking about workflows to build a package
from the repo (e.g. "gbp with gbp-pq and importing upstream tarballs").
And yeah it could be a metadata field.

annoyance maintainers for update it on many package, with a url that
point to an external file can be update once for even on tens, hundreds
or more packages it could be set on
not only new but also any contributors that want to contribute on other
package, also about that I tried to explain something in one of my
previous mail
I don't know how likely it is, I hope it's very rare
There is a lot of other information that may vary on how to contribute
in certain packages or teams beyond what is already listed, here only
some example:

Debian Python Team -
https://salsa.debian.org/python-team/tools/python-modules/blob/master/policy.rst

Java team - https://www.debian.org/doc/packaging-manuals/java-policy/

Rust team - https://wiki.debian.org/Teams/RustPackaging

go team - https://go-team.pages.debian.net/packaging.html

Not sure how is this related but packages.debian.org is, or should, indeed
be used by maintainers only rarely.

Hi!
Thanks for reading DEP-18. I am trying to help Debian here by
accelerating the convergence on common practices to make it easier for
people to collaborate using Salsa. These are not personal views, but
based on the analysis of all team policies in Debian and from
collecting stats from Debian packages, using for example data points
that 13573 packages in Debian have explicitly a debian/gbp.conf file
already.

The previous version also had more background info, but I was told
that it does not fit a DEP text, which I agree so I rewrote the whole
thing. I am trying to think if I should expand the Q&A section, or
perhaps publish elsewhere more docs / stories on how collaborative
maintenance using Salsa currently looks like in many teams/packages..
Thanks for the viewpoints and the input that further argumentation is
needed.

In the previous version
(https://salsa.debian.org/dep-team/deps/-/merge_requests/8, raw file
at https://salsa.debian.org/dep-team/deps/-/blob/f9ba136130ab02b9715d863aea948a604c278bff/web/deps/dep18.mdwn)
the suggestions were more high-level and in principle. The feedback
was that a DEP needs to be more prescriptive, thus in the rewrite I
among others added git-buildpackage, as that way maintainers will
automatically get the ability to easily gbp
clone/build/commit/push/merge etc the packaging code. This
recommendation is based on what most maintainers and teams already
use, and thus I don't think it is unreasonable. Anyway a DEP is not a
policy, and with the new title, this DEP only applies for a subset of
Debian packages and does not mandate that all packages should be on
salsa.debian.org, as in the previous feedback round many voiced that
they don't want to use Salsa.

Generally everything is in publicly available git repositories, if you
know where to look (somewhere distributed between wanna-build, buildd,
pybuildd, and dsa-puppet). The setup of the coordinator in particular
suffers from only having a single installation (not even a staging/test
one), though.

I agree in principle in that a lot of trust needs to be extended to the
management and operation here - and we could do much better. I'm not
sure if pipelines are any better if the runner could equally tamper with
the builds. But everything is in git somewhere.

One challenge in particular is that we don't have virtualization
available on all architectures equally, so we are operating with
machines that are not ephemeral. And we would not have the resources to
do extensive maintenance on a machine after every build. Hence
Reproducible Builds to keep us honest.

That said: There hasn't been much innovation in this space so far - in a
way that was usable by Debian. Making builds something based off tasks
(e.g. in a pipeline) when a package is uploaded rather than diffing the
archive and trying to match the intent is something I would have wanted
to see for a long time.

Kind regards
Philipp Kern

fwiw, i dont think that a properly scoped DEP would change any of
that. eg, it could be written to be only about what goes into the
archive and not say anything about using schroot locally, or whether
salsa is gitlab or something else. but maybe i misunderstand
I suspect that if the DEP was clearer in scope and aims, these concerns
would not actually arise