Day three of our sprint was dominated by hacking. In the morning an archive wide rebuild against Ruby 2.7 had finished. So the list of packages in need of a fix for the upcoming transition got longer. Still we found/made some time for a key exchange in the afternoon, in which even some local university attendees participated. Further Georg gave a short talk how keysigning works using caff and the current situation of keyservers, specifically keys.openpgp.org and hockeypuck. (The traditional SKS network plans to migrate to this software within this year.)

Regarding Salsa, Antonio was able to fix gem2deb so our extension packages finally build reprodicibly (Yeah!). The decision to disable the piuparts job on Salsa was discussed again. The tool provides a major functionality in question of preventing “toxic” uploads. But these issues usually occur on quite rare occasions. We think the decision to enable the piuparts job only for critical packages or on a case-by-case base is a sensible approach. But we would of course prefer to not have to make this decision just to go easy on Salsa’s resources.

Regarding the complex packaging situation of gitlab and the high likability to break it by uploading new major releases we decided to upload new major versions to Experimental only and enable a subset of gitlab’s tests to discover breakages more easily.

Some leaf packages have been found during our Sprint days. This led to the question how to identify candidates for an archive removal. It seems there is no tool to check the whole archive for packages without any reverse-dependencies (Depends, Suggests, Recommends, and Build-Depends). The reverse-depends tool can do this for one package and would need to be run against all team packages. Also we would like to identify packages, which have low popcon values, few reverse dependencies, and could be replaced by more recent packages, actively maintained by an upstream. We decided to pick up this question again on our last days’ discussion.