Hi fellow developers,

(modified resend, as first attempt didn't arrive)

please allow me to open a can of worms. Package removal from unstable.
Deciding when it is time to remove a package from unstable is difficult.
There may be users still and it is unclear whether keeping the package
imposes a cost. In this mail I want to argue for more aggressive package removal and seek consensus on a way forward.

What does a package cost?

There are various QA-related teams looking at packages from other
maintainers. When it trips a check, that often incurs time from some QA
person investigating a report or failure. Examples:
* Lucas Nussbaum, Santiago Vila and a few more regularly perform
archive rebuilds and report failures. They review a significant
fraction of reports before sending, but there also is CPU resources
for performing all those builds involved.
* Reproducible builds folks actively investigate packages that fail to
build reproducibly (or fail to build in the first place) and file bug
reports often accompanied by patches.
* Some cross build folks regularly send patches for cross build
failures and also occasionally real FTBFS. About one such patch per
month gets closed by ftp master package removal without ever having
been applied.
* DEP17 support folks send patches. Many of the remaining packages have
accumulated RC bugs such as FTBFS.
* As packages fail to migrate to testing for a long time, a release
team member eventually looks at the package.
* There are many more people doing various forms of QA and sending
patches.

By virtue of being part of Debian, a package receives attention by a significant number of developers. Assigning a number is non-trivial, but
we can say for sure that it is significant. Especially developers doing /usr-move NMUS (e.g. Chris Hofstaedler and Michael Biebl) now wonder
how much effort to put into the remaining packages. Removing more
packages would reduce the number of NMUs required there.

I suggest that we are keeping too many packages in unstable and that
they incur a non-trivial cost. It is not clear at all where to draw the
line, but maybe we can shift the line more towards removal?

What does package removal cost?

Before a package can be removed, it needs to be reviewed for reverse dependencies and if there are any, they have to be switched to something
else or removed as well. The actual package removal first and foremost
is carried out by a ftp master. There may still be people actively using
the package and they have to find some replacement for their task at
hand. Sometimes, packages are reintroduced. Doing so incurs a pass
through NEW (and review by the ftp team). Closed and archived bugs need
to be reopened and reviewed. Sometimes, it is quicker to just NMU a
particular problem that to review a package for removal.

When to remove a package?

I looked at UDD and came up with a suggested query.

SELECT s.source, s.maintainer, b.id, b.title
FROM sources AS s JOIN bugs AS b ON s.source = b.source
WHERE s.release = 'sid'
AND NOT exists(SELECT 1 FROM sources AS t WHERE s.source = t.source AND t.release IN ('bookworm', 'trixie'))
AND NOT exists(SELECT 1 FROM key_packages AS k WHERE k.source = s.source)
AND b.affects_unstable = true
AND b.severity >= 'serious'
AND b.last_modified <= now() - interval '1 year'
AND s.source NOT IN ('check-all-the-things', 'debbugs', 'firefox', 'gcc-snapshot', 'gitlab', 'hurd', 'openjdk-19', 'openjdk-20', 'singularity-container', 'virtualbox', 'wine-development')
ORDER BY s.source, b.id;

A very similar query is achievable using the web interface:

https://udd.debian.org/bugs/?release=sid&notbookworm=only&nottrixie=only&merged=ign&keypackages=ign&flastmod=ign&flastmodval=366&rc=1&sortby=id&sorto=asc&format=html#results

Human readable explanation:
* Packages in sid
* not in bookworm or trixie
* not a key package
* affected by an RC bug that has been last modified more than a year ago
* not among a few selected exceptions

These results yield 360 or 351 bugs respectively. I am including a
package list from the SQL for those who prefer following offline, but
including more would trip the spam filter.

What do you think about the proposed criteria and suggested set of
source packages? Is it reasonable to remove these packages from
unstable? In a sense, it is extending the idea of the testing auto
remover to unstable. Similarly, a package can be temporarily saved by
mailing the respective bug.

Let us assume that we agree on there being a set of packages to be
removed. What is a reasonable process? Is it ok to just file a pile of
RoQA bugs or is more warning warranted? Should we maybe use a process
similar to salvaging where there is an "ITR" (intent to remove) bug that
is reassigned to ftp after a reasonable timeout?

My personal motivation for looking into this actually is the /usr-move
work and the cross build support work. Please do consider me biased.

Helmut

aboot
adacontrol
aiocoap
aiorwlock
airport-utils
android-platform-external-doclava
anki
ants
apertium-crh-tur
apertium-cy-en
apertium-kaz-tat
apertium-mlt-ara
apertium-sme-nob
arrayfire
asis
aws-shell
backdoor-factory
bdfproxy
beanbag
binutils64
boinc-app-eah-brp
bookkeeper
breezy-loom
bwctl
ca-cacert
chibi-scheme
cpl-plugin-xshoo
crazydiskinfo
cycle-quotes
debian-timeline
devpi-common
dfvfs
dirspec
dltlyse
dogecoin
drmips
dune-pdelab
dxvk
dynamic-motd
ecb
ecere-sdk
eclipse-cdt
eclipse-collections
eclipse-tracecompass
effcee
elektra
enigmail
epigrass
evqueue-core
fakeroot-ng
fava
flask-testing
flightgear-phi
fonts-alegreya-sans
fonts-pecita
freeart
frozen-flask
fruit
gandi-cli
gems
ggcov
giblib
gigedit
github-backup
gli
gnat-gps
golang-github-bsm-pool
golang-github-coreos-go-tspi
golang-github-crewjam-saml
golang-github-form3tech-oss-jwt-go
golang-github-go-redis-redis
golang-github-jesseduffield-asciigraph
golang-github-jesseduffield-gocui
golang-github-jesseduffield-pty
golang-github-jesseduffield-roll
golang-github-jesseduffield-rollrus
golang-github-jesseduffield-termbox-go
golang-github-jesseduffield-yaml
golang-github-manyminds-api2go
golang-github-minio-cli
golang-github-tsenart-tb
golang-gopkg-mcuadros-go-syslog.v2
gr-dab
graftcp
greenbone-security-assistant
guacamole-server
haskell-cborg
haskell98-tutorial
hipspy
hydroffice.bag
i2masschroq
ifscheme
ignore-me
imdbpy
info-beamer
iptables-converter
irssi-plugin-robustirc
itop
jajuk
jodd
jquery-simpletreemenu
jsjac
jsunit
kryo-serializers
laminar
leaflet-image
leap-archive-keyring
libapache2-mod-defensible
libaws
libdevel-bt-perl
libhandy
libmonitoring-availability-perl
libneo4j-client
liboqs
libpam-ssh
libpthread-workqueue
libretro-mupen64plus
libzorpll
lilyterm
literki
lives
lsdb
mahimahi
mate-optimus
matrix-sydent
mbdyn
medialibrary
minify-maven-plugin
mixer.app
mldemos
mlton
mlucas
mod-gnutls
monkeysphere
moviepy
mozillavpn
mppenc
mpqc3
multiplex
mutextrace
mxt-app
myhdl
mysql-8.0
mysql-connector-python
nautilus-scripts-manager
navi2ch
nbibtex
node-lockfile
node-matrix-js-sdk
node-mermaid
node-node-forge
node-node-localstorage
node-puppeteer
node-trust-webcrypto
notcurses
nuitka
nvidia-graphics-drivers-legacy-340xx
nvidia-graphics-drivers-legacy-390xx
nvidia-graphics-drivers-tesla-418
nvidia-graphics-drivers-tesla-450
nvidia-graphics-drivers-tesla-460
obs-ptz
obs-websocket
octave-database
octave-tisean
octicons
openexr-viewers
opengrm-ngram
openmx
openrocket
openscap-daemon
origami
ortools
pafy
pdfrw
perl-doc-html
php-fig-link-util
php-horde-mongo
php-net-ipv6
php-sabre-event
php-sabre-http
php-sabre-uri
php-sabre-xml
php-sparkline
php-webimpress-safe-writer
picprog
platformio
pluginhook
powermock
privbind
profitbricks-sdk-python
pstack
pulseaudio-dlna
pxe-kexec
py-lz4framed
pyfr
pympler
python-dugong
python-gear
python-html-sanitizer
python-opentracing
python-pyramid-multiauth
python-pyramid-zcml
qiskit-aer
qiskit-ibmq-provider
qmenu
rdup
resteasy
resvg
ricochet-im
ruby-coffee-script
ruby-diaspora-federation
ruby-google-cloud-translate
ruby-jekyll-coffeescript
ruby-jekyll-remote-theme
ruby-omniauth-bitbucket
ruby-riddle
ruby-uglifier
ruby-upr
ruby-yaml-db
rust-fxprof-processed-profile
rust-hdrhistogram
rust-librespot-protocol
rust-rspotify
rust-rust-code-analysis
rust-rust-code-analysis-cli
rust-tcmalloc
rust-wasm-bindgen-webidl
scheme2c
shotdetect
snort
socket-activate
soundmanager2
spdx-licenses
spyder-memory-profiler
spyder-reports
squid-deb-proxy
stylish-haskell
subvertpy
swfmill
syncmaildir
sysrepo
telegram-cli
telegram-purple
termtris
thawab
tldjs
tomcatjss
tpot
ttyd
twofish
tycho
umlet
vagrant-bindfs
vg
vibe.d
vlogger
vncterm
vowpal-wabbit
w3-dtd-mathml
watson
win-iconv
xjig
xmms2-scrobbler
xqilla
xrstools
xtide
yap
zeek
zeek-aux
zmodemjs

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 8/20/24 14:28, Helmut Grohne wrote:

enigmail

Thunderbird has native GPG support now, including (well-hidden) support
for calling into the installed gpg binary to use a smartcard.

mutextrace

Oof, I should fix that finally, because in principle a debugging layer
to find lock hierarchy violations would be good to have.

obs-websocket

Websocket support was merged into the main program a while ago.

Simon

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

Quoting Helmut Grohne (2024-08-20 07:28:52)

What do you think about the proposed criteria and suggested set of source packages? Is it reasonable to remove these packages from unstable? In a sense, it is extending the idea of the testing auto remover to unstable. Similarly, a package can be temporarily saved by mailing the respective bug.

if I remember correctly, a package can also become a key package by having a high-enough popcon value. If that is correct, maybe there should also be the inverse. Looking at your list, about 85% of those packages have a popcon lower than 100. Taking the popcon value into account would also kinda make your hand-curated list of exceptions obsolete as your current list has popcons well above 100, for example. If the popcon is taken into consideration, that would also give a little bit of insurance that only very few users will be affected.

Thanks!

cheers, josch
--==============S24113733303967552=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEElFhU6KL81LF4wVq58sulx4+9g+EFAmbEL94ACgkQ8sulx4+9 g+GLsw/+I/EKWCVjNKH54S3AcsYRiDn1wbUNOD4RZyCbm4PXRxWIZJOwegBPw4+9 6YAXYNTE4rCHwWBoSULI/qlgbtq5ZftP+qHG8TcZiw7eTSrjGuTxoHb4LhPZN+1N rzUFbjF57Gcm+Pgbluqv1m7n6iPeY7lhNFQ7TFl0wQKLtiS8Md1qlDdJGMYGEOLy lTVn+7T+NJqnRYYWsOF46TLwzTSc4NAK1Q2UTGUBsQVa9NdqDY/AL0WNFCegI+zo eD5zeraLmVfwGGbT5uHyX0fQZkbxy0d4teiNtlWLOAgU8GBsh4zzGnSyTr07hLBY /yddyAYwNjqZO+bcl9rE2os/NGeSj327OCV9yRedIi8HAYL/Jh8s/6Hftoan1u2/ Z0v2/ZZX3cgfUjHHTPJ2KUtDoXlEstnF46cQvmcmgpEpNpwHuSUgPSJaygq0NbmN WrplmgIC9kY8lkdChV9YjuzZhvST6TWE0InzJO7nd8M6ek9/zCoattZV9zef9HZp AJE0JCD97+iI8rOzfYy5c85uirOftw1wyqziV47o+t9E8xWHbDDxHWvp4f/wHo5Z L9dTdBk1rKQWx+WOYLUk037NApCJfSsRkz1AoVNQG8qXaGz4kHrLDJIjTt2+smxY nFmCP9kpzARrwJqcHc834/8ibcPAwgT83Ypi9J9MYdeFODcOKnE=
=7y41
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 20/08/2024 07:28, Helmut Grohne wrote:
[…]

What does a package cost?

[ a lot ]

What does package removal cost?

[…] Sometimes, packages are reintroduced. Doing so incurs a pass
through NEW (and review by the ftp team). […]

That’s the main reason why I usually keep packages around for a few
months after getting them removed from unstable.

php-fig-link-util

[…]

php-sabre-event
php-sabre-http
php-sabre-uri
php-sabre-xml
php-sparkline
php-webimpress-safe-writer

( and more )

… And months become years… I’ll try and take care of the removal from unstable of those package, but don’t know when, so no objection if
you’re quicker.

I welcome your initiative: I didn’t feel like putting too much cost on
people on top of hardware when keeping packages around. The little “economy” I was hoping for (no NEW handling if the package gets reintroduced) is not really worth it IMHO. Thanks for raising the issue publicly.

Regards

David

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Aug 20, 2024 at 07:28:52AM +0200, Helmut Grohne wrote:

please allow me to open a can of worms. Package removal from unstable. Deciding when it is time to remove a package from unstable is difficult. There may be users still and it is unclear whether keeping the package imposes a cost. In this mail I want to argue for more aggressive package removal and seek consensus on a way forward.

Yes please.

What does package removal cost?

Before a package can be removed, it needs to be reviewed for reverse dependencies and if there are any, they have to be switched to something
else or removed as well.

(leaf packages are much more straightforward to remove because of this)

Human readable explanation:
* Packages in sid
* not in bookworm or trixie
* not a key package
* affected by an RC bug that has been last modified more than a year ago
* not among a few selected exceptions

Makes sense, though non-leaf ones can't be processed automatically and so
I'm not sure what can be done with them.

If we don't want to mass-remove all of these, there are additional
criteria (that I sometimes use to file manual removals) that can be added, though not all of them are possible to determine automatically:

* Leaf package
* A "library" (something not useful by itself)
* FTBFS - these can't be binNMUed, NMUed etc. without fixing an unrelated
bug first so they are in a worse condition thatn others in the context
we are discussing
* "Doesn't work at all" - these are not useful to users.
* Orphaned

Let us assume that we agree on there being a set of packages to be
removed. What is a reasonable process? Is it ok to just file a pile of
RoQA bugs or is more warning warranted? Should we maybe use a process
similar to salvaging where there is an "ITR" (intent to remove) bug that
is reassigned to ftp after a reasonable timeout?

Removing packages that aren't formally orphaned always sounds too bold to
me, though it should be fine if we formalize a process (any process) for
that.

--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmbESbgtFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh 9qEP/1LeBRNjUbYMnThpKukBTa3uLfRx5Ipz7Gb9P2IG9XfB373ueieiFuQDaFEc ETW/FlJBm2EsPajQzJIzri/Rgb/VwkFXnJY0fzsd0QJgwztLVdxssc0B0UvOtRkl FAi5wjiCUxa7RO6EcvtClm6f91Plv6klcV8Bg6PamH9+OO0wn/MMgytvD7ymoDDf ecqWnaOO8N9qYWLTje8Qs8feeLkj/195wK7rWFjygPLjfjdg4/MmxV6l2Y7RXfHw iuN6RiixFQoEV4KDrSqTj9QGt3xveEQaUzQiBmz5EaVTAG524J9dK3VGnnTcbtEJ A4P8JDPenpQS8VnCGy0sHco7t6AfY/h4c/lLKnyHKcclXzgIRZuMy0OSD7GVg+tC qDO5jlgrJXsfinFJfgNyjXL+TXDKB/lIFQ4miihgeOlm8j2KfpyKOTmJv4bjV2zn VVXuLJOBGgPPXxuLHIZKJmphljT1PVBkY7E9tfGehV/Y7imyNTyjXsGSBpryXbx9 BERpiDkIPBeh6qFXh1P7D49CY8BCNlAtQhQ/rWoi5a8v7VNn98Gf/MzqGndcMpDp UGh3RzfXGOtqMeMlM5gUBvWZrWVVp71SFZsSRjJ4P/0rAozA8VLR6cWO5cB+7kXk Pm9Slwmj3sJY8UrvS21yXPgUxAJksWtJzCbNPqLgi6/OxtOp
=JUTO
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 20.08.24 07:55, Johannes Schauer Marin Rodrigues wrote:

Hi,

[...]

if I remember correctly, a package can also become a key package by having a high-enough popcon value. If that is correct, maybe there should also be the inverse. Looking at your list, about 85% of those packages have a popcon lower
than 100. Taking the popcon value into account would also kinda make your hand-curated list of exceptions obsolete as your current list has popcons well
above 100, for example. If the popcon is taken into consideration, that would also give a little bit of insurance that only very few users will be affected.

That's what I thought too: we should somehow incorporate the popcon value.


Cheers,

Bastian

--
Dr. Bastian Venthur https://venthur.de
Debian Developer venthur at debian org

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 8/20/24 17:35, Bastian Venthur wrote:

That's what I thought too: we should somehow incorporate the popcon value.

I disagree -- the users most affected by a removal are those who
automate installation, and those will not be running popcon.

Popcon was introduced to determine which packages should go on the first installation CDs, but it cannot ever produce an accurate picture of
which packages are actually used (and that was communicated clearly back
then, but seems to have been lost to the sands of time).

Simon

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Helmut Grohne:

Hi fellow developers,

(modified resend, as first attempt didn't arrive)

please allow me to open a can of worms. Package removal from unstable. Deciding when it is time to remove a package from unstable is difficult. There may be users still and it is unclear whether keeping the package imposes a cost. In this mail I want to argue for more aggressive package removal and seek consensus on a way forward.

Hi,

I agree with the idea.

On the bias disclaimer side: I was a very vocal proponent for the
testing auto-removal. I see it as our greatest success of the early
2010s for reducing mental load of the RT during freezes.

Another bias: For me, implementing a automation on this front is higher
than getting out the "optimal degree of conservatism" correct. The
testing auto-remover did not start out with its current criteria either.

What does a package cost?

There are various QA-related teams looking at packages from other maintainers. When it trips a check, that often incurs time from some QA person investigating a report or failure. Examples:
* [...]

You can add to that any "archive-wide" change we have done or will do.
Other cases where we have or probably did run into such packages also
include:

* build-arch (now done)
* compiler hardening flags (now done)
* The C++ transition many years ago and the t64 transition (now done)
* Removing our implicit dependency on `fakeroot`

By virtue of being part of Debian, a package receives attention by a significant number of developers. Assigning a number is non-trivial, but
we can say for sure that it is significant. Especially developers doing /usr-move NMUS (e.g. Chris Hofstaedler and Michael Biebl) now wonder
how much effort to put into the remaining packages. Removing more
packages would reduce the number of NMUs required there.

As a data point, I am (also?) personally a lot less motivated to
implement changes or do NMUs when I have to deal with broken FTBFS
packages in sid. It is one of several roadblocks that make me reconsider whether I want to implement a change on a larger level.

It does not make sense for me to change such packages since I cannot (or
is not motivated to) fix the other problems. But I still need to track
them in case someone actually fixes the bugs but does not implement the
change I want to see in it.

[...]

When to remove a package?

I looked at UDD and came up with a suggested query.

https://udd.debian.org/bugs/?release=sid&notbookworm=only&nottrixie=only&merged=ign&keypackages=ign&flastmod=ign&flastmodval=366&rc=1&sortby=id&sorto=asc&format=html#results

Human readable explanation:
* Packages in sid
* not in bookworm or trixie
* not a key package
* affected by an RC bug that has been last modified more than a year ago
* not among a few selected exceptions

I think this is a good starting point.

On the exception list, I know Josch suggested a popcon limit.
Personally, I was thinking usertagging RC bugs that are "keep out of testing/package is not for stable" bugs and use usertag as filter to
replace the exceptions.

But either of those or even the hardcoded exception list (including
tweaks thereof) would be fine for me to get started. All of them gets us started and we can refine the exact details over time.

[...]

What do you think about the proposed criteria and suggested set of
source packages? Is it reasonable to remove these packages from
unstable? In a sense, it is extending the idea of the testing auto
remover to unstable. Similarly, a package can be temporarily saved by
mailing the respective bug.

I agree with the proposed criteria as a starting point. Like with the
testing auto-removal, we should expect some refinements to happen once
the proposal is implemented.

The code would have to deal with reverse dependencies somehow (which
both you and Andrey pointed out).

The testing auto-remover has a solution for reverse dependencies that
could work. It has the advantage (in the eyes of *this* beholder) that
it is aggressive.
Though I would be fine with a any version really. This include
starting with "all reverse dependencies must be eligible for automatic
removal on their own (or removed manually first)". From there, we can
always refine the algorithm and its aggressiveness for removal of
reverse dependencies.

Let us assume that we agree on there being a set of packages to be
removed. What is a reasonable process? Is it ok to just file a pile of
RoQA bugs or is more warning warranted? Should we maybe use a process
similar to salvaging where there is an "ITR" (intent to remove) bug that
is reassigned to ftp after a reasonable timeout?

I would say that at least one warning should be given for consistency
with the testing auto-remover. I am open to "how" and the timelines.

For me, the most important thing is that the process can be automated
end to end and that the tool is anchored somewhere to keep it
maintained. Therefore, I am a bit skeptical on the ITR bug concept on
the automation front, but I suppose it would have the advantage of
"living off the land" for bug notifications. That is one of the
complaints we have for the testing auto-remover.
The ITR bug concept would also lower the barrier to agreeing to a
"reassign the bug" rather than filing a new one. We could literally
include the BTS instructions in the bug so you could just copy-paste and
hit send. As long as this can be automated in practice (I am not an
expert in automation involved the BTS), then the ITR bug concept has
merit for me.

A concrete proposal could be to give a warning one month before
triggering the removal / filing the RM bug. In the timescale we are
working with, I am not invested in whether that is 11 + 1 months or 12 +
1 months.
What would be important is that you are guaranteed a minimum time to
act on the warning. This can be relevant if our selection criteria or
the dependency relation change and that should not lead to any immediate surprise removals[1]. It also acts as a safe-guard against bugs (there
will always be another bug).

Note: Requiring a warning first would also give all the packages on your
list an automatic grace period. I would see that as an excellent way of
testing the system and the process in practice to weed out "childhood diseases". :)

My personal motivation for looking into this actually is the /usr-move
work and the cross build support work. Please do consider me biased.

Helmut

[...]

On the "Where do we anchor this"-front, where do you see this live long
term? We have tons of QA tools that live and die with their interest of
their creator. I appreciate your are quite a persistent individual even
for Debian standards when it comes to archive-wide QA. However,
eventually everyone gets hit by a proverbial bus.

Organizationally, I think this would fit in the FTP master sphere of
influence in the long term (not saying the prototyping must happen
there), since they official decide the criteria for what is in the
archive. This would also parallel the testing auto-remover living under
the release team.

I know I said the FTP master team was resource constrained and that is
part of why I would say the prototype would happen outside the team. But
since they are in the receiving end of these RM bugs, it also makes
sense they have authority and is empowered to fix the tooling if it is sub-optimal for them in the long run.

Nevertheless, it would not be a blocker for me that the long term
maintenance strategy for this tool would be unclear when we implement
it. But I feel we should start that discussion, so we are clear on it
and also who is the authoritative source for future changes.
In my book, debian-devel consensus gathering is slow and can be quite draining, so we should not use it for "day-to-day" operational matters.
To me, that implies having a team with authority to manage that.
Leveraging a delegated team would checks some boxes for me on that
front, but it is certainly not a necessity.

Best regards,
Niels

PS: As much as I want automation, I do not mind the prototype starting
as a semi-automatic process if that is what it takes to get started.

[1]: A concrete example could be that a package with a 2-year old RC bug
was kept around because it had a reverse dependency and we start with
"no automatic reverse dependency removal". If that reverse dependency
was updated to drop that dependency then the RC buggy package should get
its warning and a grace timer of one month (in my proposal) rather than immediately getting removed.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 20.08.24 10:45, Simon Richter wrote:

Hi,

On 8/20/24 17:35, Bastian Venthur wrote:

That's what I thought too: we should somehow incorporate the popcon
value.

I disagree -- the users most affected by a removal are those who
automate installation, and those will not be running popcon.

Can you elaborate on that claim? I probably miss some context here, but
why do you think users most affected are the ones automating
installations and why do you think they won't be running popcon?

Popcon was introduced to determine which packages should go on the first installation CDs, but it cannot ever produce an accurate picture of
which packages are actually used (and that was communicated clearly back then, but seems to have been lost to the sands of time).

I think popcon does give a good approximation of how much percent of
people installed a certain package even if not everyone uses it, don't
you agree?

Last time I installed Debian it was still enabled by default.


Cheers,

Bastian

--
Dr. Bastian Venthur https://venthur.de
Debian Developer venthur at debian org

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Aug 20, 2024 at 11:09:51AM +0200, Bastian Venthur wrote:

I think popcon does give a good approximation of how much percent of people installed a certain package even if not everyone uses it, don't you agree?

Last time I installed Debian it was still enabled by default.

Was it?

(this should answer your first question too)

--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmbEX5ctFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh H+oP/02BPt35aB1PZ/SHexjrFMArsR8rcQFPXn/ewFTnIKVPnfU0VOSBNJrUQlYm 6Y2DsJhT29mMHm2NJBVOmPXDzw17EVulReejUs/cOfVIhgpX9iVlBmO1QrhAYOha S7IDPmcjNI0KtWg1HlyBXOjGzE1M7e9QbDHAVAvhUjpBSWwuGi89cJacUaoq2fWJ CVvJwWN9GS1gajMVWhLTiF6wwYsbg6ruUIfq/D3BH8g+BcbClGmEsVaPVXcEaP4/ gEmGPzF3eNIs3o84AcRpxlSf1M1QDeXF/VENt5mnXAbhtp2dhKkOaXiHltJc3R8N alZfa95xWMvCbl+U39O7B4QdKeE5OhAk7QrzpEw3KZuQaBf11mdwl5sSFmzxqifL oHo1pHbtPtid7bsiVhS6fm/W7ZrAE8AnMWxsGYq3bgnId+NNIJV5ahDu8Brh+0OJ rMl2f9JgSlemW5Ktedh5cxhYEkmfM4KRJRE5+p7xqMOpM1ywmZJ+554PcMl4mVyz WbimbRuBErQ9s0yq2u2T2aaHDg8nq2IroJhBqO7onHpICXWlTX51tmIjp3LKO43D c4PLgsOAHR8wKMkukE91D8/+nE7mjVStmJHIYYfxUxlc0RgUyOBpu7YjGogi33cU +xAD0WQWJzd4ZGscZuRXmyfnfvDqbiLJOLyxlhbmz3z73m13
=sHlk
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 20/08/24 at 07:28 +0200, Helmut Grohne wrote:

There are various QA-related teams looking at packages from other maintainers. When it trips a check, that often incurs time from some QA person investigating a report or failure. Examples:
* Lucas Nussbaum, Santiago Vila and a few more regularly perform
archive rebuilds and report failures. They review a significant
fraction of reports before sending, but there also is CPU resources
for performing all those builds involved.

FWIW, I exclude packages that are not in testing when performing archive rebuilds.

When to remove a package?

[...]

Human readable explanation:
* Packages in sid
* not in bookworm or trixie
* not a key package
* affected by an RC bug that has been last modified more than a year ago
* not among a few selected exceptions

This looks good to me.

Maybe we could also reduce the cost of removals for users and potential
new maintainers, by improving the information provided in various places
on how to get the latest source and binary packages that were in Debian (pointing to snapshot.debian.org).

Things to look at:
- messages sent to the BTS when closing bugs for removed packages
- tracker.debian.org

Lucas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 8/20/24 18:09, Bastian Venthur wrote:

That's what I thought too: we should somehow incorporate the popcon
value.

I disagree -- the users most affected by a removal are those who
automate installation, and those will not be running popcon.

Can you elaborate on that claim? I probably miss some context here, but
why do you think users most affected are the ones automating
installations and why do you think they won't be running popcon?

Desktop installations (that are most likely to be running popcon,
because the user was asked to enable it during installation) will
usually not notice a package being gone -- they no longer get updates
for it, and if they use aptitude, it moves to the "Obsolete Packages"
section.

The people who will notice first are people building Docker images,
because a missing package means that their script fails. Docker images typically don't have popcon, because they don't go through d-i.

Popcon was introduced to determine which packages should go on the
first installation CDs, but it cannot ever produce an accurate picture
of which packages are actually used (and that was communicated clearly
back then, but seems to have been lost to the sands of time).

I think popcon does give a good approximation of how much percent of
people installed a certain package even if not everyone uses it, don't
you agree?

No. It is desktop heavy, and counts installations instead of users. This
is a feature for determining which CD image a package should go to,
because desktop users are most likely to install from CD/USB, and popcon directly impacts the installation experience here, but it is a bad
metric for determining how many users are affected by a change.

Simon

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-08-20 Helmut Grohne <helmut@subdivi.de> wrote:

Hi fellow developers,

(modified resend, as first attempt didn't arrive)

please allow me to open a can of worms. Package removal from unstable. Deciding when it is time to remove a package from unstable is difficult. There may be users still and it is unclear whether keeping the package imposes a cost. In this mail I want to argue for more aggressive package removal and seek consensus on a way forward.

+1

What does a package cost?

There are various QA-related teams looking at packages from other

[ a lot]

I always notice this whenever I make a pretty minor transition, about
half the packages I have to deal with are of dubious usefulness and
quite unmaintainted.

[...]

mixer.app

[...]

On one hand I am proud that I managed to remove it early from testing
OTOH I should have had it removed from sid years ago. Bug filed now.

cu Andreas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On August 20, 2024 12:16:47 PM UTC, Andrey Rakhmatullin <wrar@debian.org> wrote:

On Tue, Aug 20, 2024 at 12:12:33PM +0000, Scott Kitterman wrote:

Removing packages that aren't formally orphaned always sounds too bold to >> >me, though it should be fine if we formalize a process (any process) for
that.

The process currently is file an rm but against ftp.debian.org for removal from unstable using RoQA (remember, we're all QA) explaining the rationale and an FTP Team member will assess it and remove the package if it seems reasonable (the above

criteria are quite reasonable in that regard).

There are people doing this, we could use more, but it does happen. I've processed lots of these and it's virtually always fine. In the rare case of a mistake, the cost to rectify the mistake is a trip through New.

I don't think we need more process.

Oh, I'm sure it's fine both for people filing these and the FTP team, I'm >worried about reactions from the maintainers of those packages.

For those cases, the people who have been doing this will sometimes file a bug against the package as a heads up and then as for the removal a bit later. Of course I don't ever see the ones where the maintainer objects and nothing further comes of it,
but my impression is it's rare.

I do recall, at least once, suggesting an upload to experimental to keep the package in the archive, but get it out of the way in unstable. I think that there have been less than a handful of unhappy maintainers. When someone complains, I ask them to
reupload the package and give it a priority review in New (usually I also avoid snark about if you want to maintain the package, then maintain the package).

For most of the packages that fall into this category, I don't think maintainer reaction is a major issue.

I don't think we ought to take the human out of the loop and fully automate this as that would be more likely to have problematic results.

Scott K

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Aug 20, 2024 at 12:12:33PM +0000, Scott Kitterman wrote:

Removing packages that aren't formally orphaned always sounds too bold to >me, though it should be fine if we formalize a process (any process) for >that.

The process currently is file an rm but against ftp.debian.org for removal from unstable using RoQA (remember, we're all QA) explaining the rationale and an FTP Team member will assess it and remove the package if it seems reasonable (the above

criteria are quite reasonable in that regard).

There are people doing this, we could use more, but it does happen. I've processed lots of these and it's virtually always fine. In the rare case of a mistake, the cost to rectify the mistake is a trip through New.

I don't think we need more process.

Oh, I'm sure it's fine both for people filing these and the FTP team, I'm worried about reactions from the maintainers of those packages.

--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmbEiS8tFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh lLgP/j+3v2T5hYL1aRcypZHPqs+ddETocgzR4PuGG9gkMKYTG6H72WgJVCvCIWQq t7LIFb9TRxTYORoQGevtGink9ZXBZBZ1WBZdp2Z+epM6z7PcJdk5BeQQM80/0LLh tZSYurq4g/MZj6fboS15WBHiVEy3500VNtYzpOFWKsYwDA9wP3UqtHA+prp0Il2z BcYL8Y3xtaBH/Kx6vklCNWC8KjCCQz+dzkiuugpDYhqQMylmRgiXiypWp7XD1lXL 4dIDb7U8Q4A0LUab2xVR6iE+f+yy6+ueQnZ8qjEJn1p7Cp+bjGZv4FxRRBqV9shk wxkMUpniD0dduwe5o/U/WfOu6wOd0lEYAsICdmM2BoM8DNRF+yG8cZ/hKypIaaiG BjVRaXNab6+YstYK7sxXFx1IObi4IO7ddM7OW9fjZbaBdY2OHu5isayxyV7XDKNF u1VgeiQD6J0MDzGwfiQiWN99agORhfKHBLMKxgQGahOzqrhAv8LWqyo4QTHiZHxA 0pzYv29mF3z4URnJ4rEV2RC/Ncm2VsplYlRXuV1QOVmIuODLzqX+HCNUeIwc0bRq Uigqf3nt5WMl+/txZstsCJfptsmdPCVFGJApapEWJiu2+o/Nhf6yLGooJmR8uxxb ZF1y6jqHEDBAMjh5MGj38qy0tG8h81wcbOcQ3yWcpzSmTZZT
=M0Wk
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Le Tue, Aug 20, 2024 at 07:28:52AM +0200, Helmut Grohne a �crit :

please allow me to open a can of worms. Package removal from unstable.

Hi all,

I think that package removal from Unstable, total or partial (for
instance, 32-bit architectures) should be an automated self-sevice
system for leaf packages. And it should be permitted to batch-request transitive leaf package removals where B becomes leaf after A is
removed.

As of today, removing a package involves mailing the BTS and therefore
not knowing if the message arrived until the acklonledgement is
received, and not knowing when the acknowledgement will be sent. Then
the waiting time for the action is undetermined. Then the
acknowledgement message for removal can arrive together with a couple
hundred emails like mass-bug-fillings (like GCC updates) and autoremoval warnings, with the risk of of deleting the important information together
with the batch.

So as of today, it is much less work to keep a package rotting than
removing it.

Maybe interface for the self-service system could be a simple text file
in a Salsa repository writeable to all DDs. This would provide obvious accountability, and allow filters and monitoring to be implemented if
needed.

Have a nice day,

Charles

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

I also like us to remove more broken and unused packages from unstable.

On Tue, Aug 20, 2024 at 11:20:10AM +0200, Lucas Nussbaum wrote:

Maybe we could also reduce the cost of removals for users and potential
new maintainers, by improving the information provided in various places
on how to get the latest source and binary packages that were in Debian (pointing to snapshot.debian.org).

Things to look at:
- messages sent to the BTS when closing bugs for removed packages
- tracker.debian.org

YES, to all of the quoted stuff above. The BTS removal bug for that
package should have a pointer to snapshot.d.o with the last sources
as well as instructions how to reopen all bugs which were closed by
the package removal.


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

"Climate change" is an euphenism. "Global warming" as well.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmbFvCoACgkQCRq4Vgaa qhw2yhAAmlCi2bhQDzp+JdHJGVgV6lLkfPxMHkbsJvH/BijNIHhM8iQe+IZCgait eRFeJzPVKdL0ImDhhst/iSPOn0IMO5rnLueRPH4HBYDwjMBmTB6LiT5dCMITATv+ 1b6W0vhcl62nNu5Ljiwpe5T1pGGMtvM2XMKqvcDE9LuToa+mOdOXOnsXZWES+4tL I8q98INw2fF/yhre5FHUfbyE/TNY/VTUhmeEDxrFrYMdImyKY1rCyEi0nNn9Zebs SG0uSjUfwtZImyw0IGqaUl711HjeYGvBngSzm+i6AP6rmD1btZQG6mWQY7Lk9JR3 SE+DvXudF9CWxz28kQtLvQgklP6f7NDocTINKTwP8bzqE4MPucpWECplkzwInTdo u7kzdQc9euT+r7wMLiR4fzS0gGUC2B26yYlI1pf94BII/YTqJTQJKG6B7lIgcgzq BNYdFAaXpxryXDPUVgXw9w7h+4KqIaxgL7VMmurzfcEBfaELA2JSoIZe6WiEsnBO 5jFgNIF2sOtc8zjrv3oTPPKtph/7yL+MCO9xMHtpG8rveCucrnCT7cQCRU+ReekG uy6igM4WCnL5BR2ic6Pz7TXqIi6M27I0OiwIv96KnxyVNagH2NUh3

On Wed, Aug 21, 2024 at 10:06:38AM +0000, Holger Levsen wrote:

Hi,

I also like us to remove more broken and unused packages from unstable.

On Tue, Aug 20, 2024 at 11:20:10AM +0200, Lucas Nussbaum wrote:

Maybe we could also reduce the cost of removals for users and potential
new maintainers, by improving the information provided in various places
on how to get the latest source and binary packages that were in Debian (pointing to snapshot.debian.org).

Things to look at:
- messages sent to the BTS when closing bugs for removed packages
- tracker.debian.org

YES, to all of the quoted stuff above. The BTS removal bug for that
package should have a pointer to snapshot.d.o with the last sources
as well as instructions how to reopen all bugs which were closed by
the package removal.

As a first necessary step, all removals need to leave a link to the
removal bug in the tracker. Currently it looks fragile somehow, as in my experience not all removed packages even have a link chain to it, and when
they do it's a non-obvious one via the removal email and a comment in it
(I think).

--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmbFxygtFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh cI0P/R2ehzFSyFSJZsAOCU6CgHLywSfFJPvWrazztRbID9YwnYtWXtbGRBytNEgV CLBjLFWA1HxBtQkla+1qgtheW1WX/1RhBmnGWDivzmjm+3gJLnNU0CA3JGAftSzP wM/x3BqpNEJa8IIxKYDMCb09ET9MMR+bWv30msIdqpdWTP9Wgh3f22y23gDFJ42g Tb3mPLvtUWDWYnR914W78RMrRi7thTKU588LonbU0uu6xJ0cZIvv+cGe97veZgIW FdN7sFo5QtjaZkaTanC2BuhSmCvBVcxoYFhgMuIifhlSG9yp/0Vt9ikB2dtcS3lS rBFOFophyhvZoM4EOPsSSarmO34GDXYvzEnTzyYUByoF9hAM6R+aMaDaJgD8htxJ yTSHE8Dr3UDKyPf5xNkeRWoqjD246iDxS0c6IAQRpiIVUOzwlzuFKpt0hx1rfbwo zuYJbGrBvLZ0N6KboyRCN1OmXtre61AhbZFyQCDLV1b75KBBOaw6+gBNF/z/feyC uKzgbm9EbDjt4KDiLNT0JOjN7nMblIVN8IZqoMe6IQtvvPIOJUNo93cZNkBNGyr9 rWl68j/+PsC279Q9NMyA2n9sflTvPfSS/Fdckp40odyeQvJo/5ckYlVHuNcgSAWp aRKmvu2GpPPuwCimcsI2zqgzuIbf3WUUpwD/lzgyCYgt6fJ/
=qVG4
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Aug 21, 2024 at 03:39:11PM +0200, Héctor Orón Martínez wrote:

I am surprised to not see more of those packages in the list, there
are many packages in those ecosystems with popcon between 1-10 users.

popcon wasn't used when building this list though (even via the key
packages condition, because AFAIK popcon is no longer used there). Most libraries just don't have RC bugs.

I checked several from the list:

golang-github-crewjam-saml - unfixed CVE, "Let's remove it from bookworm.
No reverse dependency.". There is a git commit with a new upstream version
that wasn't uploaded.
golang-github-jesseduffield-asciigraph - "Don't release with bookworm",
looks like it's not buggy, just useless.
node-mermaid - FTBFS, has git commits with fixes (not for everything I
guess) that weren't uploaded.
node-trust-webcrypto - FTBFS
ruby-diaspora-federation - FTBFS
ruby-uglifier - FTBFS

I have also been wondering if we could take a different approach for packaging libraries for language ecosystems that already have
packaging managers to play nicer with Debian packaging
maintainability. I find myself when I need to use such libraries I
need to build my own bundle to support specific applications since
Debian packaged versions don't tend to work well with the application
(the same is true for Rust, Python, etc.)

It's a very big and very controversial topic (at least if by "don't tend
to work well" you mean that we have too old or in some cases too new
versions).

--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmbF9LgtFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh krAP/2pTLwWH12dq018qjJLTrsdVFFfneHXZ5WhPI3I0SchuMtxqHFO4dSVAdnAp 6DDvYo3zdMMfy/9BtOMldtdj/yI03DxvVNGkvZ3qeZDIstDIFjLio+Rg4IP2LcTy D7elqeheNcUsayZrPNgTIRpuUtKHxaT/D35RGIVepYb3+qxMjbTDC+HyrR2d6MDH 11fWY2iUhppmELAufbZ1RuBOnXAS+m3Kbl7ZUjXWZ6GSGTuHpEhbHJ6iCwyqX7ri 5qt8lsTAeQvazEter/CrI0MG1GaPiMdKbuEkpEHk3Ab2iCzIxJym7MoTDN2eKQdf qUCQSmvVADoH/AnBKT/9WyLZ4xly2laJM4wbX8JJXHs6vukvwJmxgwSJLFxVSI6E Z7VVN0jgJXWMxH0xF4FA1WmtOOT4NHunqFyxSvULHf94qCJZ+OV9yEdUx8O9IrVh uwz9AWoSRDoETWcUnT5Z80LJArrc6AfeXbkPM6cQLzc+1EIWfsMZUI9xxQaHpz90 ecIhkeANtnD/qXqaVA4sGMLAEcbhTF5WnUlSvjMFS2bC+vfit1tRfqV4tTrE8wps LFO9YWpj61ckcJrz4cZBhYdyDmFBd/eTecDnhAHAtjOwL7fQO1Qp5MiKVeApuLKj nmoGbFM+58uaJ9+zqzhJQcIrdni6UTmnebTl4raOA8RDytLw
=d5jh
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

maintainability. I find myself when I need to use such libraries I
need to build my own bundle to support specific applications since
Debian packaged versions don't tend to work well with the application
(the same is true for Rust, Python, etc.)

I only use python libraries from debian. They seem to work fine.


--
Salvo Tomaselli

"Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
-- Galileo Galilei

https://ltworf.codeberg.page/
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEQnSLnnbYmXmeH74Us6fPDIAYhs8FAmbF928ACgkQs6fPDIAY hs93Vg/+PD4XOpdtDG0Ohk0hxcEipktQr0RAhydmnLCT+gq4gMCqiPgKqFhY1hlP En1P+quSrQX3J+ho04S8Gk8QgfVdp8CJvdGRG7HJ0MQx8yo80loE7zkUUTt31996 axgU4Sq+5O95gzQ4d3BWiyAn6ZBc8pQ2QG14iX48nPizuOZBtPiv7SPJhNY/jCnI SOw49+ACg3Tvj5/35XS/KI53IGsLW+IK9H9FQvBe2wtOJ/MptlR+SLHy+Mmo0ZKo 1PPltCY0W/MkZafY1my4UcI2n8KVck8C18yhIbJ0GNtBAeugyrEq9JW0dXlxo7Wv Q8lVIX8OQ+ZbQLTqm0Lr7yj/2d/Vmy+INTxuq7ryfOVDg+tPkI30RjSfKIZHLjeH 3V+0TkP4ncFh0t0ptLDZV9bwQJLIqS4rXGdnU1uL8gToHya8drL0EqZ8VHii/b++ yMO4B2xn0PXxgzcAlN1CxJ/JXdLzJ9lEocioRYyoKeoOI74X4inwXcvP3ujBdJG1 IJyA2vP8SHhp6Ypcxp1JD/4pQ7WBaQX4kb2lAwjwfMT5GYeX5sPFvEF9cwAqhSJj ClkfZDIr8tfQvuBFhMQmm9x9KGIWw7tPgyRJOf5URHkAtMhfSmprQA4JItWPdeWg nOu42mI1TbPMsmBPu8kMKZVgAFlLE9n6/OLFPrBakTPCq9PcP9k=
=jnlD
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: venthur@debian.org (Bastian Venthur)

I think popcon does give a good approximation of how much percent of
people installed a certain package even if not everyone uses it, don't
you agree?

No.

If something is mostly used on servers, it's very unlikely that popcon will be running.

--
Salvo Tomaselli

"Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
-- Galileo Galilei

https://ltworf.codeberg.page/
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEQnSLnnbYmXmeH74Us6fPDIAYhs8FAmbF9fMACgkQs6fPDIAY hs/J9w/9F2xhD9mbPdnsTIIKXVWB/l6bo1lZc5hhb9Nqast3Q0EdZWZG/qonFuj/ KpzzlqlB0X1d5u65lG22BpPCoxWSazX4v+g2VINl2FvKcFOYhSbgIIHPKa9mXuEQ qI2AUeS7l8P4NFUxfj5TkVG+8TpJZKWAQ0QWknD4BgMyWQJap5J2miyNTIqiqh3V NhP9PnkmRriYqEt/V6D2VnCXaY2/4GhgJDcOlGB/8XLtmGakVkg25upqI+j1DMJf 8in8i8KdveWc0o9D/vdr/fN1sj7eccLC6zPPU7DnKRQ7MbpppavpR0nPsPByq35M o4Tv+R98kpOUNYpj3WN9rXU8Mv7PGvr9JYjarBlRde3DzBhIkHVLAtYXxUcSJOI8 a6oQgjA4+RpeKOAbg5dQqK1Y+/MeaurEf9nySOkw0Q0MefJhfRTij+8fJcsqt9GL c5bVYujVhsT0brhqkzLmzeWzCnu4+OjcoW+lemGzKpS0XDeiQ3oDEip2UOcmGJjq Nl5Gs1qR/IFA9iOeMQtf0b9MiZOD1iugAkoDfpxtg8+eP9Fuv8Sps2ZZWfY0tjIT Oi9Zlrlva1JcoyyNlyLi4gc3nRLbD29Qv+jB9lsb/g9vMRwVnHBAKBasArtSUSOr NC312u7PAdnftFQhosDKk7ImMfm91gm1FbcDrVYSbrQs6Zwq8SY=
=4dXE
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Aug 20, 2024 at 11:09:51AM +0200, Bastian Venthur wrote:

I think popcon does give a good approximation of how much percent of people installed a certain package even if not everyone uses it, don't you agree?

No, definitely not. There are hundreds of thousands of Debian systems
running in various cloud environments, and I'd be surprised if any of
them have ever submitted popcon data.

Last time I installed Debian it was still enabled by default.

Oh? I don't think it has ever been enabled by default.

noah

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Aug 20, 2024 at 11:09:51AM +0200, Bastian Venthur wrote:

I think popcon does give a good approximation of how much percent of people installed a certain package even if not everyone uses it, don't you agree?

Last time I installed Debian it was still enabled by default.

When was it?

My last installation of Debian on a laptop was approximately 1.5 years ago and it was off by default. It asked me if I want to enable it or not.

Did that change recently in D-I?

Best,
Nilesh

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQSglbZu4JAkvuai8HIqJ5BL1yQ+2gUCZsYGJwAKCRAqJ5BL1yQ+ 2o2lAQDwpDxkKsIZyYROn/NK7JKUXrc0jUeK/u3Lt+3hTHDLLgD/euR1DKQB3HGO ZT/mfjUIWna6n9YSMmbbMR+10FWfNAA=
=2ws6
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Noah wrote:

On Tue, Aug 20, 2024 at 11:09:51AM +0200, Bastian Venthur wrote:

I think popcon does give a good approximation of how much percent of people >> installed a certain package even if not everyone uses it, don't you agree?

No, definitely not. There are hundreds of thousands of Debian systems >running in various cloud environments, and I'd be surprised if any of
them have ever submitted popcon data.

Last time I installed Debian it was still enabled by default.

Oh? I don't think it has ever been enabled by default.

It hasn't been AFAIK, no. d-i always asks, with the default being "no".

--
Steve McIntyre, Cambridge, UK. steve@einval.com Can't keep my eyes from the circling sky,
Tongue-tied & twisted, Just an earth-bound misfit, I...

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

------VEFLHLA34GXC5X1W1RTA2TWU1F6590
Content-Type: text/plain;
charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 21 August 2024 3:22:16 pm UTC, Nilesh Patra <nilesh@debian.org> wrote:

My last installation of Debian on a laptop was approximately 1.5 years ago and >it was off by default. It asked me if I want to enable it or not.

Did that change recently in D-I?

I don't think it did. I have had a bunch of reinstallations in the previous year thanks to my stupidity and I am pretty sure it behaved the same way as you mentioned. And I very clearly remember not enabling it when I installed Debian for the first time,
not knowing then whatever this thing was.
------VEFLHLA34GXC5X1W1RTA2TWU1F6590
Content-Type: text/html;
charset=utf-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html><html><body><div dir="auto">On 21 August 2024 3:22:16 pm UTC, Nilesh Patra &lt;nilesh@debian.org&gt; wrote:<br>&gt;My last installation of Debian on a laptop was approximately 1.5 years ago and<br>&gt;it was off by default. It asked me if
I want to enable it or not.<br>&gt;<br>&gt;Did that change recently in D-I?<br>&gt;<br><br>I don't think it did. I have had a bunch of reinstallations in the previous year thanks to my stupidity and I am pretty sure it behaved the same way as you
mentioned. And I very clearly remember not enabling it when I installed Debian for the first time, not knowing then whatever this thing was.</div></body></html>
------VEFLHLA34GXC5X1W1RTA2TWU1F6590--

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Scott Kitterman <debian@kitterman.com> [240820 14:35]:

On August 20, 2024 12:16:47 PM UTC, Andrey Rakhmatullin <wrar@debian.org> wrote:

On Tue, Aug 20, 2024 at 12:12:33PM +0000, Scott Kitterman wrote:

There are people doing this, we could use more, but it does
happen. I've processed lots of these and it's virtually always
fine. In the rare case of a mistake, the cost to rectify the
mistake is a trip through New.

I don't think we need more process.

Oh, I'm sure it's fine both for people filing these and the FTP team, I'm >worried about reactions from the maintainers of those packages.

For those cases, the people who have been doing this will
sometimes file a bug against the package as a heads up and then as
for the removal a bit later. Of course I don't ever see the ones
where the maintainer objects and nothing further comes of it, but
my impression is it's rare.

I have been trying to do this, with varying levels of success. When
I tried this, my process often was:

- file bug against the package in unstable, with a title of "RM?
<package> <reason>". Have some text, indicating that I'll wait a
month and then reassign to ftp.debian.org.
The text was often ad-hoc and can certainly be improved.

- Wait a month (or often more, because I did not keep track of these
packages systematically)

- Clone or reassign to ftp.debian.org, in the process retitling and
fixing up the metadata.


In more recent attempts, I tried:

- file RM bug against ftp.debian.org, immediately tagged moreinfo
and indicate to wait a month before untagging.

- Wait a month (or often more, because I did not keep track of these
packages systematically)

- Untag

The newer process is to me clearly superior because it's less work,
and IMO has the same chance of the maintainers reacting to it.

Hand-crafting bug metadata (when reassigning) for ftp.debian.org is
easy to mess up, so I'd rather skip that.

[..]
For most of the packages that fall into this category, I don't think maintainer reaction is a major issue.

I don't have any numbers of how often I've attempted these, but for
both versions I've heard back from one maintainer each in total.

However I want to point out that often I picked packages that saw no
maintainer uploads for many years (think 5 or more).

I suspect that many maintainers do not actually receive bug mails at
all.
For the usrmerge NMUs (all with 10 day delay and nmudiff mail etc),
a lot of maintainers were surprised to find out about the bug via
the ACCEPT mail.

Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

I believe at least some of these packages were probably packaged as dependencies for packaging lazygit. I am not sure which all, but I remember atleast gocui, pty and termbox-go to be needed by lazygit in one way or another. There has been further work
on packaging lazygit towards the end of the previous year, which I believe was mostly finished, that was then delayed by the person primarily focusing on this being the chief organizer for DebConf24. I am not sure removing them is the best idea, given it
is part of an ongoing work.

Best,
Ananthu

golang-github-jesseduffield-asciigraph
golang-github-jesseduffield-gocui
golang-github-jesseduffield-pty
golang-github-jesseduffield-roll
golang-github-jesseduffield-rollrus
golang-github-jesseduffield-termbox-go
golang-github-jesseduffield-yaml
golang-github-manyminds-api2go

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello Andrey,

On Wed, 21 Aug 2024 at 16:08, Andrey Rakhmatullin <wrar@debian.org> wrote:

I have also been wondering if we could take a different approach for packaging libraries for language ecosystems that already have
packaging managers to play nicer with Debian packaging
maintainability. I find myself when I need to use such libraries I
need to build my own bundle to support specific applications since
Debian packaged versions don't tend to work well with the application
(the same is true for Rust, Python, etc.)

It's a very big and very controversial topic (at least if by "don't tend
to work well" you mean that we have too old or in some cases too new versions).

Exactly that, I am happy to hear ideas, even if that's in a breakout thread.

Regards
--
Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Johannes and Bastian,

On Tue, Aug 20, 2024 at 10:35:47AM +0200, Bastian Venthur wrote:

On 20.08.24 07:55, Johannes Schauer Marin Rodrigues wrote:

Hi,

[...]

if I remember correctly, a package can also become a key package by having a
high-enough popcon value. If that is correct, maybe there should also be the
inverse. Looking at your list, about 85% of those packages have a popcon lower
than 100. Taking the popcon value into account would also kinda make your hand-curated list of exceptions obsolete as your current list has popcons well
above 100, for example. If the popcon is taken into consideration, that would
also give a little bit of insurance that only very few users will be affected.

That's what I thought too: we should somehow incorporate the popcon value.

I considered adding popcon to the criteria before hitting send. In the
end, I opted for not including it based on my own cost/benefit analysis.
While popcon may be a signal for the benefit-of-keeping aspect, it
provides little value for the cost-of-keeping part that feels most
important to me. As you point out, popcon is partially considered via
the key package constraint. As others (e.g. Niels) point out, the cost
of a package largely is a function of our ability to modify it and long
lasting RC bugs are a relatively high quality signal indicating that a
package is difficult to modify. Either some of those many users
(according to popcon) eventually gets interested in doing the hard work,
or we should put it onto the chopping block. Even mailing the rc bug
would reset its last modified timer.

If there ends up being consensus for adding popcon as a signal, so be
it. I've explained my reasons and am not too strongly attached to
excluding popcon.

Helmut

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------HqoLQ8quA1GvFJ2ZYqHxK2oB
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

SGkgaGVsbXV0LA0KDQorMQ0KDQpPbiAyMC0wOC0yMDI0IDA3OjI4LCBIZWxtdXQgR3JvaG5l IHdyb3RlOg0KPiAgICogQXMgcGFja2FnZXMgZmFpbCB0byBtaWdyYXRlIHRvIHRlc3Rpbmcg Zm9yIGEgbG9uZyB0aW1lLCBhIHJlbGVhc2UNCj4gICAgIHRlYW0gbWVtYmVyIGV2ZW50dWFs bHkgbG9va3MgYXQgdGhlIHBhY2thZ2UuDQoNCkkgcmVjb2duaXplIG15c2VsZiBoZXJlLiBC dXQgdG8gYmUgdG90YWxseSBmYWlyLCB0aGF0J3MgKm1vc3RseSogYWJvdXQgDQp0ZXN0aW5n LCBhbmQgd2UgaGF2ZSBwcm9jZXNzZXMgZm9yIHRoYXQuIE9uY2UgcmVtb3ZlZCBmcm9tIHRl c3RpbmcsIA0Kd2hhdCdzIGluIHVuc3RhYmxlIGlzIGhhcmRseSBhIG1hdHRlciBmb3IgdGhl IHJlbGVhc2UgdGVhbS4gRXhjZXB0IHdlIGRvIA0KbW9uaXRvciBwYWNrYWdlcyBpbiB0cmFu c2l0aW9ucywgYXMgd2Ugc2NoZWR1bGUgYmluTk1VJ3Mgc28gc29tZSBvZiANCnRob3NlIEZU QkZTIGJ1Z3MgY29tZSBmcm9tIHVzLg0KDQo+ICAgKiBUaGVyZSBhcmUgbWFueSBtb3JlIHBl b3BsZSBkb2luZyB2YXJpb3VzIGZvcm1zIG9mIFFBIGFuZCBzZW5kaW5nDQo+ICAgICBwYXRj aGVzLg0KDQpBbHRob3VnaCBJIGhhcmRseSBzZW5kIHBhdGNoZXMsIEkgZG8gZmlsZSAqbG9h ZHMqIG9mIGJ1Z3MgZm9yIA0KYXV0b3BrZ3Rlc3QgZmFpbHVyZXMgYW5kIG90aGVyIFFBIHJl bGF0ZWQgY2hlY2tzLiBBZ2FpbiwgbW9zdGx5IGZvciANCnRlc3RpbmcsIGJ1dCBvY2Nhc2lv bmFsbHkgZm9yIHVuc3RhYmxlIHRvby4gRm9yIGF1dG9wa2d0ZXN0LCB0eXBpY2FsbHkgDQp3 aGVuIEkgbmVlZCB0byBhZGQgcGFja2FnZXMgdG8gb3VyIHJlamVjdF9saXN0LCB3aGljaCBu ZWVkcyBtYWludGVuYW5jZSB0b28uDQoNCj4gTXkgcGVyc29uYWwgbW90aXZhdGlvbiBmb3Ig bG9va2luZyBpbnRvIHRoaXMgYWN0dWFsbHkgaXMgdGhlIC91c3ItbW92ZQ0KPiB3b3JrIGFu ZCB0aGUgY3Jvc3MgYnVpbGQgc3VwcG9ydCB3b3JrLiBQbGVhc2UgZG8gY29uc2lkZXIgbWUg Ymlhc2VkLg0KDQpJJ20gYmlhc2VkIHRvbywgYnV0IEkgZG9uJ3QgdGhpbmsgdGhhdCdzIGJh ZC4gWW91IGFuZCBJIGFyZSBkb2luZyBxdWl0ZSANCmEgYml0IG9mIHRoaXMgd29yaywgc28g d2UgaGF2ZSBhIHNheS4NCg0KQXMgaXMgcXVpdGUgY29tbW9uLCBJIGFncmVlIHdpdGggYSBs b3Qgb2Ygd2hhdCBOaWVscyByZXBsaWVkIHRvbyBvbiB0aGUgDQp0b3BpYyBvZiBhdXRvbWF0 aW5nIHRoaXMuIGF1dG9yZW1vdmFsIGZyb20gdGVzdGluZyBjdXJyZW50bHkgaXMgbW9zdGx5 IA0KaGFuZGxlZCBieSB1ZGQsIHdoaWNoIHdhcyBncmVhdCB0byBnZXQgdGhpcyBib290c3Ry YXBwZWQsIGJ1dCBhdCB0aGlzIA0KbW9tZW50IG1ha2VzIG1lIHVuY29tZm9ydGFibGUgYXMg YSBSZWxlYXNlIFRlYW0gbWVtYmVyLiBUaGUgdG9vbCBzaG91bGQgDQpiZSBvd25lZCBhbmQg bWFpbnRhaW5lZCBieSB1cy4gV2hlbiBJIGZpcnN0IHdhbnRlZCB0byBtYWtlIGNoYW5nZXMg dG8gDQppdCwgSSBjb3VsZG4ndCBldmVuIGRvIGl0IGJlY2F1c2UgSSB3YXNuJ3QgbWVtYmVy IG9mIHRoZSByaWdodCB0ZWFtLCANCndoaWNoIGZlZWxzIHdlaXJkLiBUaGUgc2FtZSBpcyB0 cnVlIGZvciB0aGUga2V5IHBhY2thZ2Ugc2V0IGNhbGN1bGF0aW9uIA0KKHdoaWNoIGlzIHN0 cm9uZ2x5IHJlbGF0ZWQpLg0KDQpQYXVsDQo=

--------------HqoLQ8quA1GvFJ2ZYqHxK2oB--

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmbG4vIFAwAAAAAACgkQnFyZ6wW9dQp+ kwf/fPev8b76pM8S9JJccEvOlFSIZvNewFuMcmafKlKGuTBMtJWrUYGxKa0BUICCYIht5Q5z8sct fMMy/h0PG7kTxKsnGcqH2E7yUumra5ISnWiuWU8fmp7NF5JyAfnfj15jj6Dk2q1DfKCxvW6cA8uY Bdqj7q3dvbVGVjK2TUYfKmQA1BM4SaeqoFTLejAfYAXd2ysOo5RAFNBf5FidCzcXc7rAWaZfzejP 1x7M07yXsPWzQP5KGFEOQvEX72yzhK0Mv001VT1Alzwj3KUsVwZFn/nhhQfTsTUQ3e7Y9zpD4Sa+ OGGjB67LkCh6nLlyW4eDxPK3+SIw4uc0QsSRzCKbZA==
=46ob
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

Am Tue, Aug 20, 2024 at 02:51:49PM +0900 schrieb Simon Richter:

enigmail

Thunderbird has native GPG support now, including (well-hidden) support for calling into the installed gpg binary to use a smartcard.

mutextrace

Oof, I should fix that finally, because in principle a debugging layer to find lock hierarchy violations would be good to have.

obs-websocket

Websocket support was merged into the main program a while ago.

To my understanding this reads like: We can remove enigmail and
obs-websocket or what do you want to express? If so would you mind
filing removal bugs?

Kind regards
Andreas.

--
https://fam-tille.de

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Am Tue, Aug 20, 2024 at 11:09:31AM +0200 schrieb Helmut Grohne:

I considered adding popcon to the criteria before hitting send. In the
end, I opted for not including it based on my own cost/benefit analysis. While popcon may be a signal for the benefit-of-keeping aspect, it
provides little value for the cost-of-keeping part that feels most
important to me. As you point out, popcon is partially considered via
the key package constraint. As others (e.g. Niels) point out, the cost
of a package largely is a function of our ability to modify it and long lasting RC bugs are a relatively high quality signal indicating that a package is difficult to modify. Either some of those many users
(according to popcon) eventually gets interested in doing the hard work,
or we should put it onto the chopping block. Even mailing the rc bug
would reset its last modified timer.

These are very good arguments.

If there ends up being consensus for adding popcon as a signal, so be
it. I've explained my reasons and am not too strongly attached to
excluding popcon.

Anyway I think while a low popcon should not really put a package on the potential removal list but a high popcon might be a good reason to
remove the package from the list. My guess is that you will not find
that many high popcon packages in your list so it will probably not
become way shorter by removing high (by whatever definition of high)
popcon packages.

Thank you in any case for your investigation
Andreas.

--
https://fam-tille.de

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Aug 21, 2024 at 08:40:15PM +0000, weepingclown wrote:

Hi,

I believe at least some of these packages were probably packaged as dependencies for packaging lazygit. I am not sure which all, but I remember atleast gocui, pty and termbox-go to be needed by lazygit in one way or another. There has been further work

on packaging lazygit towards the end of the previous year, which I believe was mostly finished, that was then delayed by the person primarily focusing on this being the chief organizer for DebConf24. I am not sure removing them is the best idea, given it
is part of an ongoing work.

Is there any further intended effort for lazygit?

Best,
Ananthu

golang-github-jesseduffield-asciigraph
golang-github-jesseduffield-gocui
golang-github-jesseduffield-pty
golang-github-jesseduffield-roll
golang-github-jesseduffield-rollrus
golang-github-jesseduffield-termbox-go
golang-github-jesseduffield-yaml
golang-github-manyminds-api2go

I am fixing riscv64 FTBFS in some of these now so it migrates properly.
If the work is mostly done, we can quickly wrap up lazygit in a month or two. Want to give a hand?

Best,
Nilesh

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQSglbZu4JAkvuai8HIqJ5BL1yQ+2gUCZsdgYQAKCRAqJ5BL1yQ+ 2u5NAP45uucY68NqtlzZMfdS8paAwQ0gsmEzauhUozknLxxHGgEAkU5iVlatFmST 01zfTytFnIv60eC36uz7RYdlb/TGRgI=
=X7As
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Aug 21, 2024 at 08:40:15PM +0000, weepingclown wrote:

I believe at least some of these packages were probably packaged as dependencies for packaging lazygit. I am not sure which all, but I
remember atleast gocui, pty and termbox-go to be needed by lazygit in
one way or another. There has been further work on packaging lazygit
towards the end of the previous year, which I believe was mostly
finished, that was then delayed by the person primarily focusing on this being the chief organizer for DebConf24. I am not sure removing them is
the best idea, given it is part of an ongoing work.

This reminded me of some "library" packages (I don't remember the
language) that are RC-buggy and IIRC orphaned that are stated to be deps
of some large project which is no longer in unstable.
I wonder if such leaf libraries should be removed even when not RC-buggy,
but it's unclear who can decide that (in those cases it could be the one
who orphaned them).

--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmbHaoEtFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh 9K8P/0XIAqmwYZoln2E5Xt2fxBbLI8U4cOUMzFHwbib8YOoltYpiZ2EOw4notFKm jPbeoteaIJgoaYqXC3b1vuGVCKrJwSTr1Nqmn13IYF81Kg+abMLVTL30ghHcCpG5 ugcfGk36DDcUMrrQDincl4U7oWMPUMOrD7EoPP7ccpMwhWUChpAgI4HAY0qCFNSl CQYydOUR4i0/0zq7VjGcsbDW7H7zTVU09ujiaagTnhvx9u5Ft/TMV/v0OaAPslRf DsWKq9AQ8LpVXAkbAl+8ScLNyExlUei0uYhygEI/eFlRBzvMpjC6odJtLA2NjQAO ZW6Jj62/25KHQ0/IJfXSWGPIDs90I32aJm1N6dQiuwm88sGdrxtg4r9wbvTXFWgd PBbTauV1xjaSyT2fVJ2o3VtCny7nr5wE0HfktrGYdSBeWJsARhRpCcfsDC5v2Dle owFc9pqN8bLXWvgATRitFQVmcajefeepEp4t7w/HaN6v9ec8S9l+HW5+uTis4xY3 d99nxguhNQ59VD8sWEUSClvT4zT1MBWnRT7PzvcqVwSxiclnZG3sqpOuszWvTJ4P SCqLtcITcPb4znkERcTKCg4FiXQR4YFSeuVWDvZDqJw4mTL1mz/XHd4cGHwGvklu AfRsjFnq0G6PISoYx6Xn9zqvIl2kGRtMdemexUkzh1+G1ZYi
=wgt7
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)