Maintainer Abuse

Fred Wright fw at fwright.net
Fri Dec 30 05:05:48 UTC 2022


On Thu, 29 Dec 2022, Joshua Root wrote:
> On 2022-12-29 15:59 , Fred Wright wrote:
>> 
>> Twice recently I've had changes made to ports I maintain without respecting 
>> the maintainer timeout (and not for any urgent security-related reasons). 
>> The first was py-serial, where the change was merged without waiting for 
>> the maintainer timeout.  And just now I see that someone abused their write 
>> access to bypass the PR mechanism entirely for a gpsd update, so that I 
>> wasn't even notified of the change.  And I've had good reason to hold off 
>> on updating gpsd, due to its missing dependency on asciidoctor, which is 
>> currently broken on some platforms due to the insistence on tying it to a 
>> broken version of ruby, which I've actually been working on fixing.
>> 
>> Is this now the Wild West?

> Sorry you've been put out by these commits. Both of these ports are marked as 
> openmaintainer, which according to the project policy [1] means that minor 
> changes are allowed without obtaining the maintainer's permission first. That 
> certainly isn't carte blanche to do whatever you want, but it does mean that 
> pushing changes directly isn't necessarily against the rules.

My understanding is that only time-critical changes, or stuff in the 
"cleanup" category, should be pushed without maintainer input.

> The definition of a minor update is left somewhat vague, but can probably be 
> thought of as synonymous with low-risk. I would say anything beyond simple 
> bugfixes, and certainly anything that changes the API or ABI, should be run 
> by the maintainer first. And as the policy says, the committer is responsible 
> for ensuring that the changes work properly. If you push a change to someone 
> else's port, you should consider yourself "on the hook" for fixing anything 
> that breaks as a result.

More on "minor" and "low risk" below.

> When in doubt, run it by the maintainer.
>
> I'm not familiar enough with gpsd to say whether the recent update was minor 
> or not. Marius, please work with Fred to resolve any issues that it may have 
> caused.
>
> If the change to py-serial you're referring to was mine of Dec 13, that was 
> part of a mass update to adopt a new feature in MacPorts 2.8.0, which only 
> touched openmaintainer and nomaintainer ports. IMO it was well within the 
> definition of a minor change.

That isn't the change I was referring to (but see below); I was referring 
to 66c7d25d427.  I had no objection to adding the py310 subport (though 
checking still would have been appropriate), but I strongly object to the 
removal of the py34-py36 subports.  And no change that removes a 
capability can be considered "low risk" by any stretch of the imagination.

I'm a firm believer in maximum compatibility, and one of the things I like 
about MacPorts is its support for a wide range of OS versions (though 
adequate testing is often lacking).  But for some reason, that same 
courtesy isn't extended to older Python versions, and some even think that 
it's a good idea to engage in rampages of ethnic cleansing of older Python 
subports.

One shouldn't look to the python.org folks for guidance on this issue; 
those are the same folks that (initially) expected everyone to immediately 
migrate to Python 3, and explicitly discouraged making code simultaneously 
compatible with both Python 2 and Python 3 at all.  But Python versions 
can't be mixed within a single execution of a single program, so a given 
program and all its imported modules have to be compatible with at least 
one Python version.  Similarly, every module needs to have at least one 
Python version compatible with itself and every program that uses it. 
This creates a massive interconnected web of Python code that needs to be 
simultaneously compatible with at least one Python version.  Denying 
simultaneous Python 2/3 compatibility was tantamount to expecting the 
majority of all Python code in the entire world to be converted in 
lockstep from Python 2 to Python 3, which was utterly insane (particularly 
given that a lot of that code is maintained by volunteers 
working in their spare time).

Once the pitchfork-carrying mobs appeared at the gates, the python.org 
folks relented and provided documentation and recommendations for 
"polyglot" code that works with both Python 2 and Python 3.  They also 
extended the support period for Python 2.7, but even the extended period 
was woefully inadequate.  There are substantial incompatibilities between 
Python 2 and Python 3, and it takes real work to fix existing Python 2 
code to handle Python 3.  I know of at least one project that was still 
fixing bugs related to Python 3 many months after dropping support for 
Python 2, so that running it with Python 2 wasn't an available workaround.

Personally, I now try to write all *new* Python code so that it's 
compatible with both, and I've fixed a substantial amount of my existing 
code to do so, but I still have a substantial amount of code that hasn't 
yet been fixed for Python 3, so my default Python is still 2.7.

On another ML, there was a brief discussion related to Python versions on 
Google App Engine.  Someone who was instrumental in the development of 
both Python itself and Google App Engine posted this:
------------------------------------------------------------------------
In 2020 a Googler told me that 2.7 was going to stay "for the foreseeable
future". When the end really comes, I plan to just move to Azure. :-)
------------------------------------------------------------------------

The "newer may be brokener" principle isn't limited to Python 2 vs. Python 
3.  Thanks to the ill-conceived PEP 475, any program expecting a simple, 
straightforward interaction between signals and select() or poll() is 
broken in Python >=3.5.  Even though the rationale for PEP 475 is 
inapplicable to select/poll, its approach was inflicted on them anyway. 
In Python >=3.5, in order for a signal to unblock a select/poll, it needs 
to use either one approach that's somewhat more complicated and also has a 
bug requiring a kludgy workaround that may not be 100% reliable, or 
another approach that's more complicated and poorly documented.  Hence, 
certain programs that don't want to contend with that mess shouldn't use 
anything later than Python 3.4, and Python 3.4 joins Python 2.7 in the 
list of versions that need to be kept around for the forseeable future to 
avoid forcing breakage on users' code.

There may be other such cases; these are just the ones I'm aware of, and 
the python.org folks have a very cavalier attitude toward breaking things. 
The only way to avoid both foreseen and unforeseen problems is to avoid 
removing versions altogether.  Version removal is like a war game - the 
only way to win is not to play.

Some folks like to obsess over avoiding anything that doesn't get 
"security updates".  But this concern is largely overblown, especially in 
the EOL case.  A security fix is only relevant if it applies to a feature 
that a given user or piece of software is actually using.  And for a 
"mature" version (which probably applies to anything EOLed), it's quite 
likely that all the bugs in the widely used features have already been 
discovered, and the remaining ones are in relatively obscure features that 
are far less likely to be used in any given case.

That being said, if anyone wants to avoid EOLed software *themselves*, 
they're perfectly welcome to do so, but they shouldn't be forcing their 
judgment of what's appropriate on everyone else.

Regarding maintainability, a port with significant patches becomes *more* 
maintainable when it's EOLed, since it's no longer necessary to reconcile 
local patches with upstream changes.

Regarding 46ab9a2e798 - it would be best to defer adding 'any' to 
'platforms' anywhere until "port lint" is fixed to stop treating that as 
an error.

> If you would like your permission to be required for all changes to these 
> ports, the openmaintainer tag can be removed from the maintainers option.

That would be a possibility, though I didn't think it was supposed to be 
necessary.

On Thu, 29 Dec 2022, Marius Schamschula wrote:

> As I’m the one to blame for the update to gpsd, let me explain:
>
> 1) gpsd is a dependency of Stellarium which needs a major update. Two 
> maintainers were working on this last night and found that the default 
> dependency tree asked for Python 2.7 and py27-serial (more on that 
> later)

Other variants have been available for quite some time (thanks to Michael
Dickens).

> 2) MacPorts currently supports py37, py38, py39 and py310. As of Sunday, 
> that’ll be py38, py39, 310 and py311. There’s a reason for that: 
> upstream support. Python 2.7 should not be used, never mind, the default 
> anymore.

I completely disagree - see above regarding Python versions.

Although "port upgrade" tries to avoid breaking existing installs by 
preferring current installed variants to new (possibly changed) default 
variants, that only works when the old variants are actually available. 
Removing a variant altogether when it was formerly the default is 
extremely rude.  There needs to be a substantial minimum time (probably 
measured in months) between when a default variant is made not the default 
and when the old default variant is removed (if ever).  And a suitable 
deprecation warning is warranted as well.

> As far as py-serial: the name is confusing.  For a personal project 
> (weewx) I had created a local version (pyserial is the upstream name) as 
> PyPi has a ’serial’ package that does serialization rather than serial 
> port support. I only figured out this redundancy when trying to install 
> gpsd.

I agree that the naming is confusing.  I didn't create the port - I just 
took it over from nomaintainer.  Perhaps someone thought that py-pyserial 
smacked too much of the Department of Redundancy Department.  But changing 
it now probably isn't worth the potential additional confusion.

BTW (as documented in the Portfile comments), gpsd's dependency on 
py-serial is "soft", in the sense that it's mostly fine without it, with 
just a couple of its programs having reduced capability in that case. 
But since py-serial is so lightweight, it didn't seem worth making it a 
variant.

Fred Wright


More information about the macports-dev mailing list