Hi all,

I just want to update you with a few words about the Gateway to NEW
project. (https://salsa.debian.org/newgateway-team)

Our goal is to have an infrastructure and tools to host pre-upload
peer-review of the debian/copyright file of source packages before they
are sent to the NEW queue, in the hope of making them perfect and reduce
the rejection rate, thus accelerating the processing.

At the moment there are rudimentary Salsa CI pipelines that aim at
providing a web-browsable view of the package contents that are relevant
for copyright checks (https://salsa.debian.org/newgateway-team), and
another repository hosting a checklist and hosting the reviews in its
issue tracker (https://salsa.debian.org/newgateway-team/reviews/-/blob/main/.gitlab/issue_templates/Default.md).

We explored two possible workflows, one where one issue contains all the review, and one with one issue per review. The first one, simpler, is
gaining traction, but we are only three, so, the door is surely not
closed for other ways of operating in the future.

I would be delighted if more people would join, as much on the review
side as on the pipeline development side. There is a lot to do, but we
can change Debian together!

Have a nice week-end!

Charles

--
Charles Plessy Nagahama, Yomitan, Okinawa, Japan
Debian Med packaging team http://www.debian.org/devel/debian-med Tooting from work, https://fediscience.org/@charles_plessy Tooting from home, https://framapiaf.org/@charles_plessy

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

--ab73c91fdf7434e807f18b81261f9aa3dab69bcecfa199201dd30f4ec015 Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8; format=Flowed

Hi Charles,

On Sat Apr 5, 2025 at 5:59 PM CEST, Charles Plessy wrote:

I just want to update you with a few words about the Gateway to NEW
project. (https://salsa.debian.org/newgateway-team)

Our goal is to have an infrastructure and tools to host pre-upload peer-review of the debian/copyright file of source packages before
they are sent to the NEW queue, in the hope of making them perfect and reduce the rejection rate, thus accelerating the processing.

I'm sorry, but I don't understand. Why should I do copyright reviews in
the Gateway to NEW team, instead of joining the NEW team itself?
(Ignoring the fact that joining the NEW team is a more involved process)

As I understand it, doing copyright reviews outside of the NEW team
would not speed up processing, as they would have to re-review
everything anyway. The only thing this would help with is reduce
rejection rate, but in my experience rejects are quite rare.

Let me know if I'm missing something! Bye :)

--ab73c91fdf7434e807f18b81261f9aa3dab69bcecfa199201dd30f4ec015
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iIcEABYIAC8WIQS6VuNIvZRFHt7JcAdKkgiiRVB3pwUCZ/FeFhEcdGFjaGlAZGVi aWFuLm9yZwAKCRBKkgiiRVB3p5e3AP4ilQZNuRpZnARGSgze8q2UGKib7r9iKBBK 4O+8CnwfHgEA3uaMTmduuC8zaHEHqjEB+I9f7JUt6vKDkovvKB5HvQQ¿LL
-----END PGP SIGNATURE-----

--ab73c91fdf7434e807f18b81261f9aa3dab69bcecfa199201dd30f4ec015--

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

"Andrea Pappacoda" <tachi@debian.org> writes:

Hi Charles,

On Sat Apr 5, 2025 at 5:59 PM CEST, Charles Plessy wrote:

I just want to update you with a few words about the Gateway to NEW
project. (https://salsa.debian.org/newgateway-team)

Our goal is to have an infrastructure and tools to host pre-upload
peer-review of the debian/copyright file of source packages before
they are sent to the NEW queue, in the hope of making them perfect and
reduce the rejection rate, thus accelerating the processing.

I'm sorry, but I don't understand. Why should I do copyright reviews in
the Gateway to NEW team, instead of joining the NEW team itself?
(Ignoring the fact that joining the NEW team is a more involved process)

As I understand it, doing copyright reviews outside of the NEW team
would not speed up processing, as they would have to re-review
everything anyway. The only thing this would help with is reduce
rejection rate, but in my experience rejects are quite rare.

For me the utility of this is to improve quality of packages. The more
review a package get, chances are lower that it doesn't contain serious mistakes. If you want to join the NEW team and do reviews there
instead, I would be equally happy.

/Simon


--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmfxsP8UHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFol9aAQCIM/Pw1ICO lXMwenOzRPQaMmdTVmbB9DKmHYgk/gRsGwD/ZixVQ2H5kD6ppclA6LeQiCUt7zkV um/KDQRGkONI9Ak=jXDV
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Le Sat, Apr 05, 2025 at 06:45:09PM +0200, Andrea Pappacoda a écrit :

I'm sorry, but I don't understand. Why should I do copyright reviews
in the Gateway to NEW team, instead of joining the NEW team itself?

Hi Andrea,

the FTP Team does not accept applications at the moment. Indeed I sent
one recently and received no answer.

Every time a package is rejected from NEW, it has to be reviewed once
again, which mechanically slows down the queue. Thus I aim that
pre-upload peer review will accelerate the processing.

Also I hope that peer-review will evolve in a process so efficient and
trusted, that at some point it will become a matter of course to
completely switch to that way to screen new packages, and that the
waiting time will become just a couple of days maximum in most cases.

Have a nice day,

Charles

--
Charles Plessy Nagahama, Yomitan, Okinawa, Japan
Debian Med packaging team http://www.debian.org/devel/debian-med Tooting from work, https://fediscience.org/@charles_plessy Tooting from home, https://framapiaf.org/@charles_plessy

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 05/04/25 9:29 pm, Charles Plessy wrote:

Hi all,

I just want to update you with a few words about the Gateway to NEW
project. (https://salsa.debian.org/newgateway-team)

Our goal is to have an infrastructure and tools to host pre-upload peer-review of the debian/copyright file of source packages before they
are sent to the NEW queue, in the hope of making them perfect and reduce
the rejection rate, thus accelerating the processing.

At the moment there are rudimentary Salsa CI pipelines that aim at
providing a web-browsable view of the package contents that are relevant
for copyright checks (https://salsa.debian.org/newgateway-team), and
another repository hosting a checklist and hosting the reviews in its
issue tracker (https://salsa.debian.org/newgateway-team/reviews/-/blob/main/.gitlab/issue_templates/Default.md).

We explored two possible workflows, one where one issue contains all the review, and one with one issue per review. The first one, simpler, is gaining traction, but we are only three, so, the door is surely not
closed for other ways of operating in the future.

I would be delighted if more people would join, as much on the review
side as on the pipeline development side. There is a lot to do, but we
can change Debian together!

Do you plan to integrate this into the existing salsa-ci-team/pipeline?

Best,
Nilesh

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello Charles,

On Sun 06 Apr 2025 at 12:59am +09, Charles Plessy wrote:

At the moment there are rudimentary Salsa CI pipelines that aim at
providing a web-browsable view of the package contents that are relevant
for copyright checks (https://salsa.debian.org/newgateway-team), and
another repository hosting a checklist and hosting the reviews in its
issue tracker (https://salsa.debian.org/newgateway-team/reviews/-/blob/main/.gitlab/issue_templates/Default.md).

Thanks for working on this. Would you be able to provide me a link to
an example of this web-browseable view? I might be able to provide some feedback.

Thanks!

--
Sean Whitton

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmfzG3IZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQH9HD/4orkfFoaB19C3tevJ1LBsD 3kpjHTwFaOofaRN4Xj8orKVWA3+rEie7YU8i/6J++UFrBEFaCuGvo2xx3RD0jATg Qn3Ad7htYvP/VbUlzD06HMQSeYhMDwp6EE40bu87ZxIRc6vMNwfDlcwDxLvh8QVx twQVpbXsHbDeH05EyXSdmc98uz7jlCA6N20g3zZWNVwmppKE4piwZQGy9WQJ3G35 x4yexFWkS6DG6GuXgE1Hm4m4z1ajBtwqiBx3OoJ4Xc0GWIub3k73jt2RbMDrsPX6 2fMPXQwITj35JzT1PURjA0Wrv8D4HIJoLGlBvOMbXddrtBoZWzdJ3FYiore1560X xyGo1wl34R4MN6UDNgg+p3N8y2xkuGiddUfDCex0RPkZLz4xyCkCPCAFY//OCORP r8+44vp9QT2CeMlrhL8eDJnQ0TmiHTvKoo9v9rWCGCGJ2OhflbfCJpJuFWFFZy53 +5E5HT4/59rafnDeZBld0zCeJKynI2zGTWKVSwwMghqPHGR6/2UXnJLqqffEEcjQ 4l5zRcXxWalLNDYkuKoq0L1WnkF6tdZxrJ3zOZNFv68bgvvjHNTBqyMPW9f9zrsk qV7hOMLMGkoIVHDoHtFKK91ZiECx1rhcUL9/w4P8gyduPGKTbrxdYwI42xaZgqLl kTsDyfkY4qe3DJnLXCjLlg==y6vX
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Us

Le Sun, Apr 06, 2025 at 07:50:34PM +0530, Nilesh Patra a écrit :

Do you plan to integrate this into the existing salsa-ci-team/pipeline?

Le Mon, Apr 07, 2025 at 08:25:22AM +0800, Sean Whitton a écrit :

Would you be able to provide me a link to an example of this
web-browseable view? I might be able to provide some feedback.

Hi! Thanks for your replies,

I surely want to have the CI pipelines to be not only fully compatible,
but also to take advantage as much as possible of the salsa CI team's
work. I have not suggested yet that they take them up because now is
high iteration time, especially that I am such a beginner. Also, I am
not sure if the current pipelines (except licenserecon, but this one is
not really our creation) are worth running after a package is accepted
in the archive.

I can only offer an outdated example, but I think that it gives the gist
of it:

In https://salsa.debian.org/newgateway-team/reviews/-/issues/3 you can
see how I opened an issue for a R package and started with my
self-assesment using a checklist. (Its template has been simplified,
mostly by moving away the points that are taken care by Lintian and
debhelper).

The link to the pipeline runs were not posted at the top of the issue
because they did not work at that time, but the current issue template
has now stubs at the top.

Three pipelines were run for the package and reported here:

https://salsa.debian.org/r-pkg-team/r-cran-multitaper/-/pipelines/831341

The first one greps for `-e 'copyr' -e '©' -e '(c)' -e 'licen[cs]e'` and returns its results in color for easy browsing, see the link below. It
also saves the results in a file that can be downloaded. Surely one can
run the same git grep command by hand, but the idea is to pre-run and
make it browsable easily by anybody.

https://salsa.debian.org/r-pkg-team/r-cran-multitaper/-/jobs/7243353

The second reports about the file types found in the source package. It
would be nice to tweak it to make it more colorful, for instance to spot
the binary files that may contain copyright statements that Git has
missed, like images or PDFs. In contrary to the example below, the
current version does not report directories nor the contents of the
`.git` directory.

https://salsa.debian.org/r-pkg-team/r-cran-multitaper/-/jobs/7243354

An alternative or complement would of course to modify the first
pipeline so that it uses git attributes to convert usual suspect binary
files into text that can be grepped, for instance by running exiftool on images, etc.

There is also licenserecon, which in principle should pass and report
nothing. In the case of this package, it fails partly because FORTRAN
comment signs blur the view of the parser and cause it to lose accuracy
in detecting the version of the GPL boilerplate.

https://salsa.debian.org/r-pkg-team/r-cran-multitaper/-/jobs/7243355

In principle such runs should lead to report bugs on the toolchain like licensercon and to the improvement of the tools. In practice, I did
not have time…

I'd be more than happy to review a package from whoever adds these CI
pipelines to their repo and opens an issue!

Have a nice day,

Charles

--
Charles Plessy Nagahama, Yomitan, Okinawa, Japan
Debian Med packaging team http://www.debian.org/devel/debian-med Tooting from work, https://fediscience.org/@charles_plessy Tooting from home, https://framapiaf.org/@charles_plessy

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello,

Thanks for the links. The checklist in itself seems like it would fix a
lot of problems. Here are some comments:

- The item "A verbatim copy of the package’s copyright information is
often required to be present in /usr/share/doc/PACKAGE/copyright, too;
see Copyright considerations." doesn't seem clearly actionable.

It's already basically covered by "All the copyright holders found by
the copyright-grep CI test are mentionned in debian/copyright.".

- That requirement could be weakened: "All the copyright *notices* [not
holders] found by the copyright-grep CI test are mentionned in
debian/copyright except those where copyright *notices* are already
installed in plain text in the binary package." (this is the issue
that "often required to be present" is trying to get at -- let me know
if you're not clear on what I mean).

- Some items to check for preferred forms for modification would be
helpful. For example if there is a .jpg with metadata saying it was
exported from Photoshop, then we also need the .psd in
d/missing-sources.

- The grep copyright CI jobs are nice. Hopefully over time we can tweak
them to exclude duplicates etc.. It can be done collaboratively so
that people's efforts can be pooled.

All in all, a great start to this effort.

--
Sean Whitton

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmf8XPYZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQKZhD/9016+UlyetuXZ5Soml2rat uPQVf456JlOp/pJrln3IaTTxVQIOpJbYGb8NDKRbV3JsNDOQrlbpMu/dqMuSJpLC 8A9DzjhjYhc6ckLe0QnA7ZjiHiq2vNRxqF7QFYvAC9ToKjyiXIfAfx0a5lqEGeGB SbW5YeK2xP5t9XS7XqvWf5AphO6mTxJ7+ojUEvivwShz6KRduWO6uxCZcE9UlA3S DSrEJ+JL3ucenUOStFp68Gv5NDcgF0h+ZxwJotE1I2aiqVF1HW5+EHyF+NP7nLq/ 952UFNoH5vBA2h9iW8Ms44fX8zAKKwgYhUVCYaeg4IQZnf2uAGnWbDTjk8vzWD33 S9HgweU4fbqu7/5kFiacbdi/U+k45WUrix21Uvrgeo3LphBve+ZQmJZVIbcUdbAV hX1nUPXJ5sLGxsZZeo90txyVQchKtOlOLq2svqc5lmcddxXsnwCUaieT0t1aDvJ0 rJYjUh3UFcvWJ/I7aoyF9BzCvHPAEXDPytVL/fEQiZaa9IrjXqqCVnog9pcbQl3b DDRLkPEUg4QoLsMZWEgi6wctN5bdh/QJijreQmemL+/zVwclfdrBTn+wa09T3Xez TTprszF4gtvxqcMQqSWFQQ1xxxjiqMETRkH33zNavi1KWikVy5Kl0OYa6LnIwT02 fmCBRozcnK/IfkUJBWwqWA==xYvz
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Us