Lucas WerkmeisterMar 4

unfinished thought: it would be quite good to have something like the Toolforge Abandoned Tool policy (https://wikitech.wikimedia.org/wiki/Help:Toolforge/Abandoned_tool_policy) for non-tool Wikimedia code, such as libraries (e.g. #m3api) or applications (e.g. Pattypan?)

this could be a step towards “Off-the-shelf governance models for small FOSS projects” (@pintoch, https://antonin.delpeuch.eu/posts/off-the-shelf-governance-models-for-small-foss-projects/) – if a codebase opts into it (README.md?), there would be an established process for adopting it if the maintainer goes inactive

#Wikimedia #Toolforge

Help:Toolforge/Abandoned tool policy - Wikitech

Show threadtaavj
@LucasWerkmeister @pintoch hmm. not sure if I want the maintainership of some code I depend and trust on being forcibly passed to someone the original maintainers (who I had explicitely trusted by using the library) hadn't explicitely supported, without some explicit action on my end (like updating the package name) on my end to choose to trust it
Mar 5 at 1:34amWeb
Show threadLucas WerkmeisterMar 5
@taavi I'll have to turn this over in my head some more, but I'm puzzled to hear this from a Debian Developer… while there are of course differences (such as a more closed, trusted pool of developers), doesn't Debian also have something that fits your description? (from a quick look through the docs, Package Salvaging would seem to fit? https://www.debian.org/doc/manuals/developers-reference/pkgs.html#package-salvaging)
5. Managing Packages – developers-reference 14.4 documentation

Show threadLucas WerkmeisterMar 5
@taavi anyway, just spitballing before I go to sleep ;) but at least in the more limited context of libraries in ecosystems that use semver, I could imagine mitigating this concern by requiring that the first new release post-adoption must be a new major version which mentions the adoption in the release notes, thus giving users of the library an opportunity to notice the maintainership change?
Show threadtaavjMar 5
@LucasWerkmeister well, any DDs practically have the ability to run arbitrary code on my laptop right now, regardless of whether they go through that social process or not. but any arbitrary Phabricator users who show up to want to take over some abandoned thing do not. the abandoned tool policy explicitely has provisions to not pass on secrets to the new person just showed up, for these reasons