Blog

It appears to be Debian’s stance that the behavior I experienced is completely normal

Unsurprisingly, I awoke to a disappointing response from the Debian bugs team. The email was sent privately so I wont post it here, but it boils down to “nah man, this is normal”. On a whim, I have therefore asked the Debian TC if they have a policy on quality and correctness review of patches inserted by Debian into upstream software:

To: debian-ctte@lists.debian.org
From: mikal@stillhq.com
Subject: Debian patch review process (was Complaint regarding conduct
         on bug 1132795)

Hello what is hopefully the Debian TC.

I recently had a weird experience on a Debian bug as an upstream
software author. I am not a Debian Developer.

The relevant artifacts are:

* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132795
* https://github.com/mikalstill/pngtools/issues/37
* https://www.madebymikal.com/is-this-the-standard-of-behavior-we-get-from-debian-now/
* https://www.madebymikal.com/lets-see-if-the-debian-complaints-process-gets-anywhere/

And to a lesser extent the discussion at
https://www.linkedin.com/feed/update/urn:li:activity:7471777300879982592/
although I understand that some aren't super into walled garden business
themed social networks.

I raised the conduct I experienced with owners@bugs.debian.org and while
disappointed that the answer (below) appears to be that this is aligned
with Debian's expectations of upstream interactions, I am more concerned
about another issue. I want to be super clear that I genuinely don't care
about a cosmetic patch to pngtools because of one complaining and quite
rude user.

What I do care about is that I think the experience demonstrated that
there isn't much if any review process for these patches being added. I
would like to understand how Debian ensures that supply chain attacks
aren't being inserted into packages at this packaging layer given they
appear to be able to be landed by a single Debian Developer without any
internal review. Surely this class of attacks should be of concern to
Debian just as much as people's freedom to own and change the software
they run?

Thanks,
Michael

I will await further disappointment.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.