Re: A "cosmetic changes" commit that removes security fixes

[Giovanni Biscuolo]

Hi Pierre,

Pierre Neidhardt <mail@ambrevar.xyz> writes:

> I haven't really followed the issue,

I have, very carefully ;-)

> so I couldn't say whether the decision taken by the core maintainers
> was right or not.

From my point of view it was /but/ this is *not* relevant: what's
relevant here is that /if/ we trust Guix maintainers (I do) when they
give commit access rights to people, whe /have/ to trust them when they
revoke those rights.  We /should/ disccus /if/ the rules and best
practices to have and maintain the commit acces are well documented:
please make proposals (patches wellcome :-) ) but please we have to keep
trusting Guix maintainers (that is a collective of very competent
people).

[...]

>> I am not a core maintainer, but it should be obvious that core
>> maintainers would not take a decision to revoke commit rights lightly.
>
> I trust that it is the case, but being the devil's advocate,

Please don't:
«Why the Devil's Advocate Doesn't Help Reach the Truth»
https://www.gnu.org/philosophy/devils-advocate.html

--8<---------------cut here---------------start------------->8---

The devil achieves that by twisting my words: presenting a misleading
context in which my words appear to mean something other than what I
intended.

--8<---------------cut here---------------end--------------->8---

;-)

[...]

> Another question one could ask: why just the core maintainers
> actually?  Shouldn't everyone be involved?  Maybe the right answer is
> "no" here, and if so, I believe we should explain why in the community
> guidelines.

Guix is a GNU project and AFAIU GNU project management is well
documented:

https://www.gnu.org/gnu/gnu-structure.html

I don't know if Guix project needs specific «GNU Guix structure»
documentation but /if/ the answer is yes it should complement the
official GNU one, not replace it, IMHO.

BTW I see Guix contributors with commit access as "package maintanance
assistants" delegated by maintainers to make some technical decisions:

--8<---------------cut here---------------start------------->8---

The maintainers of a package often recruit others to contribute to its
development, and delegate some technical decisions to them. However,
the maintainers retain authority over the whole of the package so they
can carry out their responsibility to the GNU Project.

--8<---------------cut here---------------end--------------->8---

Please we should always consider that GNU maintainers are the persons
that carry out the responsibility to the GNU project, not contributors
with commit access.

Maybe the contributing section of Guix manual should mention it and link
the relevant GNU project's documents: do you think it'd be useful?

> Lest the community present an image where a few would benefit from
> arbitrary privileges.

...or seen from /the other side of the moon/: a few carry out the
precious work to be /responsible/ to do a good, practical job of
developing and maintaining Guix according to the GNU project's mission
and general decision.  If you want call it /arbitrary privilege/ but I
have a different point of view :-D

The "community" (whatever this means) should acknowledge that
contributing also means to be responsible toward other users of free
software: this needs competence in the specific matter (also domain
specific), discipline (i.e. properly documenting changes in commit
messages) and commitment to a set of common shared rules (documented in
Guix and GNU project manual).

[...]

> Last, maybe a more important question: if core maintainers are
> entrusted to take executive decisions about the community members,
> what about executive decisions about the core maintainers themselves?

Maintainers are appointed by the GNU project.

> Are there such provisions?  Example: what if a core maintainers
> misbehaves?  Can they see there privileges revoked?  How?  Is this
> documented?

«GNU Software Evaluation»
https://www.gnu.org/help/evaluation.html#whatmeans

Does this answer your question?

[...]

Happy hacking! Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

signature.asc
Description: PGP signature