Petr Viktorin <pviktori(a)redhat.com> schrieb am Fr., 29. Juli 2016 um
On 07/20/2016 09:01 AM, Matthias Runge wrote:
> On 14/07/16 16:20, Tim Orling wrote:
>> Hi Petr,
>> It is precisely the security information that I am seeking access to. My
>> job depends on it.
>> I have already done everything in . In some cases more than once. And
>> we are talking over the period of many months. So let me ask this in
>> return: what is the process once someone has done everything in ? The
>> only place that I can have any dialog is this mailing list or
>> #fedora-python. Application to the FAS group is a one time, one way
>> thing. Application to the python-sig mailing list is a one way thing. A
>> human on the other end must make some action to move the process
>> Out of frustration, I emailed tomspur recently, as he is listed as the
>> main contact for python-sig group in FAS. Other than a response from
>> him, I have not heard anything else. I can understand that it is summer
>> and people have holidays and it has not been that long yet.
What was his response?
My response was, that I'm quite busy recently and don't find enough time to
work on Fedora in general. I would welcome a more active python community
and have sponsored a few people, that I know, to the python-sig to get
everything going. It would be great, if we can reive the python-sig and
more sponsors will look for new contributors. My initial goal for "please
write a short introduction of yourself to the python-devel list" was
exactly that: Getting to know each other and kicking off a discussion. I
can only sponsor people, who I know and rely on other sponsors to do the
>> But I must reiterate that this process has been going on for
>> my side. Fedora already has a problem of perception of being too Red Hat
>> insider in some circles. My observation has been that Red Hat employees
>> have been gently reminded on #fedora-python that they need to apply to
>> python-sig. I am assuming they have been successful. Meanwhile, I wait
>> for action on the part of a member of python-sig.
You're waiting for action of a *sponsor* of python-sig, which is a much
- Thomas Spura (who approved me) is not a Red Hatter as far as I can tell.
- I've been at Red Hat, working on Python software in Fedora, for more
than three years before being nudged into applying to python-sig. I
that the nudging was related to work I've done, not to who employed me.
I cannot speak for the nudging, but I approved you, as you are very active
on github's fedora-python and I knew you from there.
> That action could be as simple as, "we don't know you,
could you please
>> submit a python package for review so we can start to get to know you?".
>> But that still requires action on the part of a member of python-sig.
I'm not a gatekeeper, and I don't know the exact process. But the wiki
"If there is interest and shown familiarity with our guidelines and
processes (which usually manifests in maintaining at least 5 to 10
Python packages) you can apply for having access to a broader group of
packages that is commonly maintained. If you choose to apply for this,
please discuss it with a sponsor of the python-sig. (You can find a list
of those in FAS.) "
This changed now quite recently and is hopefully more understanable. I had
a discussion on #fedora-python with Charlalampos Stratakis and Miro Hroncok
and we try to be more active and try to revive the python-sig.
So, your mail to Thomas was exactly the thing you need to do.
The process should be made less private. On the other hand, porbably
it's just expected that you're somewhat known in the community and have
been in contact with one of the sponsors before.
Maybe the wiki page was misleading before. But you can only sponsor someone
who you know and trust. If you are actively maintaining python packages,
getting to know a sponsor should be doable.
>> I can tell you that the response from the perl-sig community
>> more inviting.
> sorry to hear, your experience was quite frustrating.
> In my understanding, there's not much you get from being member of the
> SIG or the FAS group.
> I'm not sure, if security information is actually shared here, I would
> expect no information being under embargo to be shared via this list.
> Especially, what kind of enforcement do we have, if some security
> sensitive information is being disclosed.
My understanding is that the *only* reason the python-sig mailing list
is not open is that security-related bugs might be discussed there.
Otherwise we could just open it up for everyone and stop playing this
frustrating gatekeeping game.
Yes, that was the reason, for not forwarding all changes to the
python-devel list and creating a new one with all commits/bugs (including
security-related ones). All discussion still takes place on this list.
I'm sorry that your experience was not a good one so far and we hope that
this process will improve in the coming weeks...
All the best,
> Your case could (or should) serve as an example, what can go
> the SIG and a onboarding process.
> Ideally, we'd have a documented process and a tracker, where status of
> approvals being tracked. FAS only provides 3 state (nothing, unapproved,
> approved). Maybe it's useful to do a process comparable to becoming a
> sponsor or a mentor in fedora (open a ticket in trac, have an open
> discussion about each person, including a vote.)
python-devel mailing list