On 04/11/2022 13:05, Chad Dougherty wrote:
On 2022-11-04 08:34, Jon Turney wrote:
The second is not so clear: A package is orphaned if it's maintainer
is not responsive to queries as to if they still want to be the
maintainer of the package.
It's undefined how many times we should ping, or how long we should
wait for a response, but I think that the ~10 months that's elapsed
here is more than enough!
If the prospective adopter is also proposing an update that addresses
security vulnerabilities in the old package, I suggest that that, and
the severity and impact of those vulnerabilities be factored into the
timeout decision.
Well, maybe.
I think a common way for distros to handle this is to have some subset
of maintainers who are allowed to make NMUs for these "important" updates.
The problem is we don't really have the concept of an NMU currently,
although this is (again) due to accidents of history, rather than by design.
The current upload policy is:
- Only the maintainer for a package maintainer is allowed to upload that
package.
- If a package is orphaned (has no maintainer), there are some "trusted"
maintainers who are allowed to upload it.
I'm kind of inclined to relax that a bit, although I'm not sure what to.
