Maintainer Abuse

Joshua Root jmr at
Thu Dec 29 05:57:49 UTC 2022

On 2022-12-29 15:59 , Fred Wright wrote:
> Twice recently I've had changes made to ports I maintain without 
> respecting the maintainer timeout (and not for any urgent 
> security-related reasons).  The first was py-serial, where the change 
> was merged without waiting for the maintainer timeout.  And just now I 
> see that someone abused their write access to bypass the PR mechanism 
> entirely for a gpsd update, so that I wasn't even notified of the 
> change.  And I've had good reason to hold off on updating gpsd, due to 
> its missing dependency on asciidoctor, which is currently broken on some 
> platforms due to the insistence on tying it to a broken version of ruby, 
> which I've actually been working on fixing.
> Is this now the Wild West?
> Fred Wright

Hi Fred,

Sorry you've been put out by these commits. Both of these ports are 
marked as openmaintainer, which according to the project policy [1] 
means that minor changes are allowed without obtaining the maintainer's 
permission first. That certainly isn't carte blanche to do whatever you 
want, but it does mean that pushing changes directly isn't necessarily 
against the rules.

The definition of a minor update is left somewhat vague, but can 
probably be thought of as synonymous with low-risk. I would say anything 
beyond simple bugfixes, and certainly anything that changes the API or 
ABI, should be run by the maintainer first. And as the policy says, the 
committer is responsible for ensuring that the changes work properly. If 
you push a change to someone else's port, you should consider yourself 
"on the hook" for fixing anything that breaks as a result.

When in doubt, run it by the maintainer.

I'm not familiar enough with gpsd to say whether the recent update was 
minor or not. Marius, please work with Fred to resolve any issues that 
it may have caused.

If the change to py-serial you're referring to was mine of Dec 13, that 
was part of a mass update to adopt a new feature in MacPorts 2.8.0, 
which only touched openmaintainer and nomaintainer ports. IMO it was 
well within the definition of a minor change.

If you would like your permission to be required for all changes to 
these ports, the openmaintainer tag can be removed from the maintainers 

- Josh

[1] <>

More information about the macports-dev mailing list