46 comments

[ 0.24 ms ] story [ 77.0 ms ] thread
This is rather depressing. Debian Live has been an important part of Debian for quite some time, and I have used that guy's work quite a lot.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754910 is quite telling. This does not diminish the importance of Daniel's work on debian-live, but there's always two sides to every story.
The way I interpret this is someone, instead of coordinating things with Daniel, who is the upstream of that package and the maintainer of the package, they just went and fixed it using an inferior fix that Daniel was trying to ship in his own conflicting possible future version.

That is pretty ignorant, and I can't blame Daniel.

This is somewhere up there with Debian habitually backporting security patches into an ancient version of Apache to the point its a broken unsecure mess, and adding an unapproved patch to ssh that caused it to generate completely broken and highly unsecure keys.

AFAICT you have it backwards -- the other packager is the upstream developer and maintainer of the pre-existing ubuntu package. The only thing that Daniel's package had going for it was that he had submitted it earlier, but he had not gone through the process of filing an ITP to tell other people that they don't need to spend time on packaging it.

I find the whole thread somewhat cringey to read and I'm not sure why he thinks it reflects well on him.

Regardless of who was in the right, there's a number of people on that thread who come off as incredibly disrespectful and should be issuing public apologies for their behavior. I get that it was a heated argument, but people deserve more respect than that, especially when they're volunteering their time.
No. Because Daniel ignored protocols someone else had to volunteer time to clean up that mess. It's quite possible such thing happened before and Daniel failed to learn a lesson. Either way — it's pointless drama and rage quit.
Is there an ITR process ("Intent To Replace")? Because the issues REALLY got bad when the following was written:

  live-build has been deprecated by debian-cd, and live-build-ng 
  is replacing  it. In a purely Debian context at least, live-build
  is deprecated. live-build-ng is being developed in collaboration
  with debian-cd and D-I.

  I'm aware that I'm going to be upsetting people, but this has been 
  a long time coming and I'm not going to spend time bikeshedding
  over naming. I would rather spend that time on integration of live
  image creation into official Debian infrastructure and building 
  the best system for live image creation possible.

  Consider this thread marked as wontfix.
https://lists.debian.org/debian-live/2015/11/msg00008.html

So in other words, there was an upset about Daniel not filing an ITP, and then this casual email gets sent saying an entire project has been deprecated, that discussion is not needed as it was a fait accomplis and the hundred and thousands of man hours people contributed to it weren't important?

Not good, and very poorly handled.

That one stood out to me - plus the other part that says that debian-live was never an official project, which seems to be in contradiction to https://www.debian.org/News/weekly/2006/08/
Well, too late does that same guy realise that things have gone pear shaped!

He's gone from "this has been a long time coming" and "consider this thread marked as wontfix" to the below:

https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=155;bug=80...

  original aim for this was that this new tool would be integrated 
  into the existing Debian Live project, and that we would bring 
  the Debian Live project into Debian. This is not the way it 
  has gone.
Except that is not what he wrote. He didn't say anything about integrating into the project. Instead he said the project a. Wasn't an official Debian project (when actually it does look like it was), and b. They were about to deprecate the entire project!

I have to call bullshit on this one. There was never any intent to integrate with the project.

That's one dishonest email!

> Wasn't an official Debian project (when actually it does look like it was)

There were no Debian Developers involved in Debian Live of late, because Daniel (somehow -- I don't care for the drama) got removed as a Debian Developer. I don't know for sure, but I would totally believe that it was officially a Debian project in 2006 but was not in 2015.

As a Debian Live user, this situation was quite a bit confusing: the only Debian-related URL it had was live.debian.net (in the debian.net namespace that any Debian developer can request a DNS record for, pointing anywhere), and it really seemed to live on live-systems.org, which pointed to the same servers.

Sadly, it sounds like the e-mail you get from mangers when they want you to keep working until your replacements are ready to discard you properly. I agree with you that those two e-mails say totally different things.
Sadly the Linux ecosystem seems to be getting a whole lot of that managerial double talk lately.
> This is somewhere up there with Debian habitually backporting security patches into an ancient version of Apache to the point its a broken unsecure mess, and adding an unapproved patch to ssh that caused it to generate completely broken and highly unsecure keys.

Please don't spread FUD.

Debian does a great job of creating and maintaining a stable, secure, and coherent operating system.

They may modify upstream software so that it complies with the Linux FHS, but the goal is to achieve a coherent system (e.g. config in /etc, data in /var/lib, etc). IMO, they do a better job than any other Linux distro.

Debian also has a strict policy on decoupling libraries from programs. This means that when a security update is released (e.g. the security fix for latest libpng vulnerability), you only need to update a single package.

Finally, Debian aims to be stable, which means they'll keep an eye out for vulnerabilities and backport fixes. This is done instead of forcing you to move between versions of software, which has the potential to break things, or create new security issues (e.g. changes in config).

The Debian+openssl vulnerability happened in 2008. Go back, and look at Debian's security record (e.g. go to LWN and see Debian release fixes for the latest vulnerabilities just as quickly as Red Hat and Canonical/Ubuntu).

You're preaching to the choir however.

I've used Debian for over 15 years, use it on all my home machines that run Linux, and also use it for prod everywhere at work. Everything you listed is why I still use Debian, even when Debian politics like this keeps ruining Debian further.

I won't touch Ubuntu with a twelve foot pole, and I think RHEL family distros are trash.

However, when I say Debian has deep internal politics issues, I am saying this unbiasedly: I like Debian, but I wish they'd stop ruining my distro of choice.

Can someone give us a clue what's going on in this thread? I can't follow the jargon at all.
A group of people failing to cooperate, communicate, or generally work together in a reasonable way. It's both a failure of each individual to work together constructively amongst some confusion or disagreement and a systematic failure of the whole organization to set expectations and have reasonable clear remedies for such conflicts.
"ITP" stands for "intent to package". When you want to package something in Debian, you file a Debian bug with "ITP" in the subject. (The bug is filed against "wnpp", an entry in the bug tracker that doesn't actually represent a Debian package but represents "work-needing and prospective packages.")

The ITP bug does not actually do anything with regards to the upload process; it's simply a coordination point. You can ignore the ITP process and upload a package straight to "NEW".

For historical reasons, the team that maintains the Debian package archive is called the "ftp-master" team, though the archive is generally retrieved via HTTP. They have the final authority (subject to, like, a project-wide vote or whatever) on what actually goes into the archive, and it's their job to prevent things like packages being hijacked from an active maintainer, in addition to verifying free software status, non-atrocious packaging quality, etc. Part of that verification takes time, especially for brand-new packages.

What happened in this bug is that Daniel did not file an ITP and uploaded the package, and Serge did file an ITP and uploaded the package, and the NEW queue got both of them. Who's in the right is pretty unclear. Daniel had his package in the queue well ahead, but Serge followed the procedure, and the very reason the procedure exists is to avoid conflicts like this. So Ansgar, a member of the ftp-master team, told them to work it out amongst themselves (a common response for conflicts). Later, Paul, also on the ftp-master team, said the same thing in stronger words, in the email rejecting both of their uploads.

Serge also had uploaded a newer version of cgmanager which unblocked systemd-shim (the compatibility layer for running non-systemd systems). Daniel had uploaded an older version that was not useful for systemd-shim.

So Daniel and Serge worked things out amongst themselves, except Daniel did not actually get around to uploading his package, so Serge uploaded his original package after timing out on Daniel.

Serge was technically in the right, but that isn't really the metric. Serge was also probably socially in the right, but this was unfortunately a murky case.

Paul accepted Serge's next upload after hearing both Serge and Daniel saying that they were working together, even though Serge just uploaded his original package (without Daniel's packaging and without listing him as a maintainer).

There are obvious echos with what happened in Debian Live: Daniel feels hurt because other people ignored work he was doing in favor of their own thing, and everyone else felt frustrated because Daniel's work didn't support things that the rest of Debian needed, and there was no sign of that changing in a timely fashion.

The final email on this page is a very important read. If you tl;dr this link, skip to the last email before you leave.
Actually, it appears that Daniel was wronged there also. If you are going to upload a new package and you know there might be a conflict, wouldn't you notify the other person?

Seems like Daniel has been wronged. Dick move by the debian-cd teams.

Is this the end of Debian being available in a manner that fully boots from the install media without requiring installation, or just the end of a project called "Debian Live"?

("live" installers are widely useful; eg. Kali and Ubuntu I believe are based on Debian and I can't imagine either of these projects abandoning the possibility of a "live" boot)

Edit: thanks for answering, Wilya and maheart! If you two are right, then maybe this topic really isn't important enough to merit the front page of HN (I mean, Debian drama is nothing new)?

Reading the bugs and threads linked, the biggest issue seems to be that some people from the debian installer team decided to write their own live cd and declared that Debian Live was obsolete, without ever speaking to the people from Debian Live.

So, it is probable that a live-cd will still exist, but it won't be the one called "Debian Live".

FWIW, the last time I saw a team act like this was the OpenOffice.org team completely reinventing the solver module, even after the incredible hoops they made Kohei jump through in his attempts to get it integrated.

On the plus side: I'd say that was the tipping point where OpenOffice jumped the shark and the LibreOffice project was the ultimate outcome.

I'll also note that Daniel has for some time not been a Debian Developer (there was some drama there, the details of which I wouldn't want to recall even if I remembered), and "Debian Live" has been not an official Debian project for a while -- it's running on live.debian.net (not .org), it's running on servers personally run by Daniel (not by the Debian sysadmin team), etc.

That said, IMO the distinction of "not an official Debian project" is less about where the service is running (it's a volunteer project, anyway) than about how integrated it is with the rest of Debian. For a while, Debian Live has been showing strong signs of being Daniel's personal project -- with a lot of users, to be fair -- and not really working with other Debian teams or developers. I think that's what came to a head here.

It's been a while since I worked on this, but IIRC Ubuntu's live image is based on Casper, which is a separate system from live-build (though live-build supports using Casper).

Also, bear in mind that the specific reason this happened was that there were features live-build didn't support, like UEFI boot, that the Debian project needed. This entire kerfuffle came about because Debian wanted a better live boot system.

(comment deleted)
Debian community is a riddle, wrapped in a mystery, inside an enigma.
That's quite the rage quit.
I agree - it is quite the hissy fit for what appears to be a minor and resolvable (amongst adults, i.e.) difference in opinion. Imagine if every ER doctor quit because some patient or her relative in the ER questioned her judgment.
And you're the worst person here. Commenting on someone's decision to step down after dedicating likely thousands of hours of their life to an OSS project. And you don't even have the backbone to attach a "real" pseudonym to it... complete cowardice.

I just can't get over the entitled mentality that causes someone to make a flippant remark like that.

It's probably more likely cumulative. If you've put that amount of time into a project it can become difficult to take criticism and Debian's bureaucracy can become overwhelming.
I always thought that debian's highly complex bureaucracy would keep things like this from happening and make it the immortal distro you can rely on but this is one in the series and I'm reconsidering my opinion. Maybe despite the rock solid processes it's still just a bunch of guys writing code and having arguments like any other project.
It's kept me away from maintaining any packages, that's for sure.
Debian has rules, but it's pretty decentralised. These sorts of things are always going to occur when you're dealing with 1000+ individuals (sometimes with different goals).

Debian is not without drama, but a lot of work happens without any drama at all, and as a result, you don't hear about it.

As other sources have claimed, "Debian Live" has for some time not been a Debian project at all. It was fairly strongly bypassing the bureaucracy, and most of the outspoken users seem to be people using it for downstream distributions.

The existence of live-wrapper (formerly "live-build-ng") can be seen as a way of regularizing this situation, by writing software that the Debian CD and boot teams can rely upon and is strictly better than Debian Live for official Debian purposes. "Debian Live" was not providing needed features.

Debian said the packager was not up to their standards of bureaucracy.

It does not respect the impossible requirements (multi-archi, grub2, UEFI compliant).

So they are making a committee to fix the situation.

And maybe when all archi but x86 will have died and optical storage will do at least 34gb, they maybe able to ship a 5 stages bootstrapper that ABI may boot debian in one decade, and have emacs an optional requirements even if you have only 640Mb RAM.

> It does not respect the impossible requirements (multi-archi, grub2, UEFI compliant).

Why do you think this is impossible? I maintained a commercial downstream distro based on Debian Live that had all of these features working fine.

Because of the bureaucracy...

I have invited people from debian to make conferences and know myself one of the former DLP.

Debian has something scarily bureaucratic in its organization.

As an effect of conway's law (structure of the organization gets in the product) the debian developer's guide is like hellish, their level of indirection for forcing everyone in the LSB without breaking the change in the "reasonnable" default conf are heavy. And not even close to correction : the spliting package policy (avoiding too much dependency) makes installed python or latex feels broken.

It is like the heaven of both former soviet idealism (comitee of workers handling the positions), and engineers (debian can easily be considered an example of the best practices of ISO 9001/ITIL process)

With good intentions.

I used to be a debian sysadmins for 15 years.

I mean, they really are trying their best to : satisfy everyone in choosing the best default conf/options/requirements so that other packages integrates well. The embedded world, x86, ARM, virtualisation.

But I think bureaucracy sometimes ends up like a cancer. Bureaucracy requires to drains part of your effort into its sustainability, and sometimes the energy involved in bureaucracy itself out sucks to much resources for even getting the job done.

I think they try to hard to do what they think the right things. I am not even sure they have a clear view of their monster blob distro.

Mozilla fundation is another new growing tumor in the world of open source. Do we really need to had statefullness over a stateless protocol in order to bring RT in a non realtime-able container ?

When will the brainwashing of the XUL team will end?

NO! the web browser is a terrible substitute for GUI especially in async fashion.

And js is a terrible scripting language for GUI. Tcl/Tk should be back again.

Thanks for your service, Daniel.

I think there is a cycle to these things. You start by getting excited by an idea, and work night and day on it. If it's useful, you attract attention and users, and it slowly stops being either exciting or your project. You start to grudge all the work people expect you do to add their ideas to the project, and eventually someone is rude enough to make you call it a day.

The beauty of open source means that this isn't the end of the project. If it's still usefull, someone will get excited by it and start working night and day...

Very interesting series of threads. I'm sad to see this happen. I switched to Debian from RH as my personal choice back at Potato and have used the live build a couple times that were a real help. Some of the thoughts I had while reading this were 'Wow, I never want to get involved with anything to do with package maintaining' and 'It seems like Ubuntu is pretty much just running the whole show now'. Maybe that's an oversimplification but I really don't like the entire direction that Ubuntu is going in which is why I stopped using it as my default desktop OS. Now I kind of feel like I don't have a 'home base' distro anymore. Sigh.
It doesn't reflect well on either side, to be honest. It's clear all involved have contributed a great deal but all also struggle considerably with communication. Seems to be a trend lately and I'm sure this won't be the last time someone rage quits over a difference of opinion.
Call me suspicious, but taking over that project means that the replacement will get run whenever downstream distribution are live booted

If you were evil .. Isn't that a nice project to hijack?

What's that sonny? Canonical land grab?
A recap from someone who's not a Debian user but who read through the bulk of the threads:

Debian Live has been around for 9+ years, and at least back in 2006 was described as "an official sub-project" which seems supported by the existence of live.debian.net (at least from an outside-Debian perspective).

Some folks on the debian-cd project, possibly unhappy with the level of support they were receiving re: UEFI or possibly just because they had a new shiny, decided to do a new (currently experimental) live CD building system based on some other tools. Note: still experimental.

There's little evidence that the original debian-live folks knew anything about this new initiative, though some have reported that it was discussed in-person at conferences.

While the new project was still in the experimental stage, one of the debian-cd developers decided to publish it as "debian-live-ng", and when politely called on it (see thread: https://lists.debian.org/debian-live/2015/11/msg00003.html) another of the Debian developers eventually came back and said (my translation) "[you're not an official Debian project even though you pretend to be, so we're proceeding as already stated. Consider your concerns marked 'wontfix'.]"

The head of the Debian Live project, faced with this, announced that basically due to the release of its replacement with no prior notice, clearly debian-live had been supplanted so it was being shut down.

There were some places in the past where Daniel Baumann (of debian-live) came off not so well, but in this case he politely pointed out "hey, you've just announced something that collides with our namespace" and got what seemed like an official "yes, we know. You're not needed anymore."

Update: I recommend geofft's much more informed comments in this discussion

So are the choices listed at the url below not going to be available in the future?

I always liked that there are choices of different sized images (.img not .iso), including xfce and especially the minimal "standard".

And also that the compressed kernel vmlinuz and ramdisk initrd are available separately for each.

Are these choices going to disappear? What are all those downstream projects going to use now?

http://cdimage.debian.org/debian-cd/current-live/i386/webboo...

"We will not hide problems". What a lie.