 Dwi'n ei wneud o'r ddweud y gweithio, dwi'n rhan o'r ffordd o'r disgynnu. Dwi'n rhan o'n mynd o'r gwneud o'r bwysig o'r cymdeithas diogelol sy'n gwneud i'r gweithio cyfnwysig wrth gwrth gwyllwg, oherwydd mae'r deilio a'r llwythio, mwy o'r gwneud o'r gweithio, oherwydd mae'r gweithio o'r cyfnwysig o'r gwneud, Do roedd eich cael meddwl yn cael meddこちら oherwydd o edrych fod a siarad y meddwl yn cael meddwl i'r meddliad weithio. Roedd eich meddwl yn ceisio Ia Mhenderydd yn cael meddwl chi'n byw i'w slygu. Roedd eich meddwl i'r meddwl iddyn ni gynnig o fe ddaeth. You can have the big bugs, but where upstreams can be added to the line, or doesn't support old versions, such as we have in Dev某 stable. By the end of release, then there is no one who can easily fix bugs. I think users need to have some sort of clue as to how well we can support those packages because clearly not all packages are equal. roedd y symud i ddweud o… Dwi ydych chi'n cyfrifio'n cyfrifio'r cyfrifio'n cyfrifio. Ordeithio byddai o mae 10 o 15 o rhan ffuntiwch, gwirio eich hoffod fod yn chemSHGPD, so flies ar eich hoffod hyn. Rwy'r gweithio hyn yn y llaw o'r cyfrifio, i bod y dyfrins yw gyfrifio'n cyfrifio'r greu. Og thank you. Now one really has the time to check all the 15 minimal HDL packages whether they are your most suited for this field of application. So I guess removing more packages which actually you wouldn't lose anything and still gain quite a lot. Yo, we have this discussion on, I don't actually remember whether it was on a developer or private but but they consent a scene to be that, most people were happy with quantity. I can understand your quantity, you want to improve quality versus quantity. I agree with you, but I don't think we can bring the general volume as a loan with us on that. I also don't agree because I think that maybe I look for a way to let the people have the freedom to choose, and especially if you've got a problem, let's say with other conditions at some time in the future, you can still have the MGHATBD to replace it or something like that in the world. You are not bound to any other funders and any other provider of asset because you have many. So you've got a real freedom regarding this. So I think that maybe some package should pay more attention to some package because they are more important than others. And we feel that renewing the more packages is an introduction, except that the maintenance is an MGHATBD in the state, yes. You can renew the package, or the MGHATBD and no one else. Just because someone wants to maintain his pet package does actually not mean that he should impose all the work on all the other core teams who are affected by that. If someone wants to have his minimal HGPD in the archive just because he is the author, we have quite a lot of these. Oh, I wrote this in university because ten years ago, and I think I still use it somewhere in my private network, so I think it should be in the archive. This actually imposes all the work on all the other teams like the Q&A team and everything else, and it goes missing in action if it imposes work with the security when the security is coming in its pet package, although it may only have three users. And it's also a live voice for the release team, like managing positions. I don't think nobody can ever check all these. I don't think it actually brings any benefit because if you search for a low, minimal, or a low-memory food for the HGPD, you will never have the time to actually check all these 15. Of course, there shouldn't be a situation where we're only at the cashier, but I don't think all these applications really serve the problem. Yeah, but the problem is what's actually working okay, I think, is if there are some really great bugs that are reported as RC, the packages are, in other words, very fast and testing. So I don't think the release team really cares that much. What the problem is is if these packages, the problematic packages that are broken, but nobody ever reported a bug against them. There is the issue of if people try to package, it just doesn't work and they don't want to try something else. And then it will waste the time of everyone else after them who tries it. So that's one point. Is there a way to get people to test also packages and then also report if they are severely broken? That's one problem. And the general problem of QA is removing packages because they maintain an MIA, at least often and then later remove them. The problem remains that this is a very manual task and very individual. So the question is can we optimize this better? So, yeah. I don't really have a point at just for the sake, that's probably the point. I have a couple. I think I was noticing it. So you want to, like, make levels visible to users, like support levels somehow, a potential way to be through that. You can have like a support process. The thing is if that happens I would like to have only positive aspects listed in it, otherwise they become shame models. But it would still be, you know, whatever is not positive is negative. So one could say, you know, this is maintained by security, like security supported by security teams. Okay, I prefer it over 100,000. This is all fun. This has had no activity since years. Now that needs to be weighted against login. And things don't need to be weighted. But if we can come out with a decently measureable list of qualitative positive aspects that could solve the problem of making visible users, and we can just distribute it through Netflix, and about security support, more if we think it could be, I would adhere to allow to shift security support for some value of the packages to the package maintainer. Like what this was actually done for certain extent, that we don't prepare all the updates for ourselves. For some packages we can't redo for ourselves any other cost packages. That is quite complicated. So at least testing and testing of the update is the number of containers. We don't have a possibility to, for example, test the voiceover of the package because we don't have the necessary output place. And for context fixes, we also need the maintainer. But the problem is that many of these first packages don't even have an active maintainer. Someone uploaded it three years ago, and no one has really seen it. It might not even be missing in action, but because the package is so low maintenance, because it doesn't require real maintenance because it's just a package which few people use and few people report by accident. I think that we kind of have an implicit security support scope already. For example, at the end of the day, if you find a denial of service capability in a minimum DNS server, it's even quite likely that we won't fix it at all because it has so few users. And that's quite the margin between the security problem that the generic package provides. Right, because I was thinking, I mean, if that could help you, one could take it exclusive to say it doesn't care about this package somehow and that allows people who maintain free packages used by, I don't know, some academics, target group. I'm thinking that I maintain, like, meteorology packages, and there's not many weather synthesis with any. I mean, but still, my strategy is I think it's possible to do things like that, and I don't want to put a load on you. But, yeah, well, free packages typically don't impose a very much load on the security, or the certificate applications to rather than a security problem. And the only applications which actually puts down this proportionate amount of work on most of the web applications, but we're thinking of different ways to support that. So this would actually go into the direction of imposing the work on to the data themselves. If we maintain it all the time, it would be likely up to the maintainer himself to update the package. There are some effects, maybe 20 packages. The problem is that most of the security bugs in, for example, minimal HTVs are not supported at all. So we don't even notice them, and if we notice them, which is rarely the case, then of course we fix them. And it's not that much of a problem. I think the main problem here is that most people won't notice that. There's no specific review of all these packages. There are no independent security researchers or companies like Cicunia or IDFens, which have a look at them. And we also don't receive backup calls from them, which indicate that there would be a security problem. And there's also been a discussion in the previous days of doing something like the cleanup of bike sheds in Amsterdam, in which you have a bike shed, which is full of bike, all the old broken bikes. And people put stickers on all the bikes that look blodgy. And the sticker says that if you don't take the bike away within two weeks, I will come and pick it up and send it to a bicycle recycling centre. And so the idea was that whenever the bike packages that have not had RC bikes, and that had them for like months, and they last, of course, was an enemy, or those that look blodgy, we open an RC bike of them saying, well, close it within two months or we file for removal, which would kind of, all those developers that may have uploaded something three years ago, but don't care about it anymore, will have an excuse to let it just go, because they would have to do nothing else particularly with it. Yeah, that's already been done. So if whenever we're feeling that a package isn't really pushy, or that it's inherently insecure or broken otherwise, for example, we had that for a few more applications already. We filed the security market report, which was really written for security. And a few months later, we checked again, and it's still present, and I'll mention it in reply. We tried to fix it with our own resources, which is often quite difficult, because we don't really understand so much about applications. Or you need to get to the details for quite some time. But after that, we've always filed a removal back, which are processed pretty quickly right now, where the FTP master system never takes longer than a month. And I don't think there's ever been a case that one of these removal requests have been declined, so the sexual has been done. But one last note, please. It's only the case for all the packages, which are actually where someone's spotted a security problem. So all the applications that we've already had, we don't really do this. Of course, we can't file a release certificate for all the trust in handsome, but I think it's going to be all right. It's just to apply a clean-up. No, clean-up. We did something like that about the sticker at Edge was released. We looked at packages, which were unstable at the time of the freeze, but were not in Edge, so we didn't take packages that missed the release. And we tagged, we've had assybergs against some, against those that we thought that should be all found or removed. But it's very hard to say if a specific package would be just all found or removed. Sticker to this site when you don't know the package, so we can hide the maintainer, but obviously it doesn't answer if it's on your phone. If you don't actually remove the package. Yeah, but the package sometimes is as user. So sometimes it's better to offer it first, and then we move it, and then it takes about one year between the time you support the problem. You offer it maybe three months later. It's a very hard process, actually. Users don't really know what's offered. We can go and check what's offered. Users have, typical users, I suspect, have no idea. I think we also need a way to withdraw all the security support that's just in stable place. For example, if you're in body light, you have this problem with the smosailer. There was no security support, but basically the current was not supported either. So there must be a way for users of stable that they see if the state of package changes. It's no longer supported. If we just remove the package from the stable, it has been suggested for some packages, and the user won't see it either because if it just gets this, then we don't want it to be changed. I think we all have our best practices in doing a package. For example, when I first started a package, which I've never tried, or when I had to choose among different software, which is that we do basically the same thing, I have some habits, like I go to the back office system, and I see how many devices I have on this package. Maybe I have to get the tools and look at the last time that you can change or this kind of stuff. I think it could be worthwhile to start sharing this habits. Maybe we can collect them in our wicked agency. How many of them can be formalised, and checked on the library, and if it's possible, we can use other planning ideas or something like that to tag this package, this, my best practice for looking at the product package. But I don't think it's really possible to avoid the blame inside of creating the quality for package. So one of the idea that we have is that with tabs, and like they could fit into your community, it would be to have user-centric reviews of packages, Amazon style, like maybe with a star mark or something, that could be also used to, not only like bugs, but also the whole packages ability. Because sometimes you have software, it's not buggy, but pretty useless because it doesn't have all the features. And so you could use that kind of mark to actually know better if it's a possible candidate for a new wall or something. Do you mean something like a weighted product? No, something like Amazon reviews of books. No, in this package, so certainly, I think it's more rating like user ratings for each package, like what's fine, or is pretty welcome. I think that's what we do. Yeah, basically, I really like Amazon reviews. You know, you have to put a mark on each package, and that could be on a level, that could vary on a wide scale for every single user. Could you use SpotCon? No, you couldn't use SpotCon because I can't have a package on only one of my machine, but it's essential for my work. I mean, that's a different metric. You can have packages that are very important for some people, and that would actually be important to keep in the archive for that precise reason. But if the package is always like three stars out of ten, it's a candidate for removal, but you will always have also a text entry with that, and you will really try to understand what's going on. But we're going to talk more about that during the TDAN community, though. In fact, I have also an argument against the removal of packages. I think that we should not fall into the same scheme as the Red Hat album. I mean that we have a small set of packages which are maintained officially, and a lot of packages around in the wild that are not in our repository, but in other repositories that we don't control and that we can't even test for real. So if you remove packages, you will put these packages in other repositories because even if it's only useful to one person, you will create many day packages in the wild and we could run into a higher security problem because the people will make more and more very specific set up and they will put the solution in it. For example, if you get a package that requires a very old version of JTK, for example, the people will take this package and we take JTK and we inject it in Sarge because it needs it and it will get something very complicated. And I think for security reasons it will get something very complicated and very unproducible at large terms. And maybe it's not... I think I'm okay that certain packages should not have security support and that should be maxed using the tag or something like that. Just write a star on the package saying that FHU is supported by a security team and VoA is not maintained by security teams. But we should not be moving from that. I agree with you that Debian very profits for not having many external repositories. There are some, but they are quite known. And so I agree with you to aggressively remove packages just for the sake of removing it and making it easy for security support. I think we need some other solution. I think there is some agreement that we should somehow mark packages we cannot really give the same care as we do for our main packages. Has there already been some consensus how do we want to mark the packages? Ubuntu is using an extra section on the FTP server. Do we want something like this in Debian? Do we want to go with Deptex? The advantage of Deptex would be that we can change these takes more easily than re-uploading it to another section of the archive. I'm not sure how we do that. I would feel fine with Deptex but I don't know how the others feel about that. A way of giving the time information to our packages? Right. It's just the problem of control. I mean, it's a secret team which decides what packages are supported and which arms. Currently, Deptex is like Enrico only. There's no way. I can pull data from security team not make it override completely. I mean, let that play for the way. Deptex input is wild. I understand your review. But then I can, after my review, just pull in whatever the security team use me and have it be below. You can say from the web-typing interface I don't get any of these data. I cut them out and I pull them in from security team. So they can be as their view as you want. So, okay. Let's see what I want. I want to try to come back to something someone said earlier. I think it's not so much a problem for experience this admin to rate packages because you really can look at the popcom score, the box score and past GSAs and you can get a pretty good picture of what software you should use in your company or on your commercial server or something like that. I think it's really the problem more for an unexperienced end user because he probably can't do that or he doesn't know how to do it or how to rate this information he gets. So it really requires that we get this information anyway. I think users rating packages is really a good idea and we should do that but it doesn't solve the security side of it because the users won't be able to judge the security of the application they use. It's more about this aspect like I tried it and it was completely broken and I think if there's a clear like if there's easy website where you can easily say that without finding a right report I think it should be possible to increase the numbers or the percentage of feedback we get there and I would also agree that we shouldn't like want to make like main and universe because the first it will we will not be able to do that without like having a constant framework for about six months and some smaller frameworks after that and also because there shouldn't really be like depth text or something that would be really more flexible. So I wanted to ask how does this depth text information munging currently work? Is that like a repository where you commit that? The workflow is the good workflow for the official Debian Pack source is that there's a web interface to pack packages that goes into an unreviewed pack database. The unreviewed pack database is periodically checked by myself and so I remove junk if I spot it and it goes into a reviewed pack database which is made on some version so you can get any older versions if anything is closed up and that goes then to the packages file at any point I control all the workflows so I cannot anything we want really become some part that computes automatically. But it would be easy possible to like if there would be more work on that to extend the group that reviews this. Yeah, like you do it yourself at the moment and if we would use depth text more it would be more work. No, all the scripts there's not more work to be done to people and it's fine and it just needs to know the type of time you're living so at the moment there's just not many people that do but I welcome any people that are going to help me and if there is information from other resources like a list of packages in the security team like more a list of all of that packages when there is information that is absolutely objective doesn't need to be viewed we take it from there we take it directly in the target place. You said earlier that it is better to use positive text or something like that but especially for something like security support I don't really see how to do that because otherwise you just have to add the text security support to all packages and then remove it slowly. Totally? That sounds like a lot of redundant ways. That's fine. Just a bit. I think we're having a small problem with this discussion because we are talking about removing packages which are not useful removing also crap from the ACAC which is a good thing but we currently have about 15,000 packages even if we manage to remove 1,000 packages which are crap it must be approximately what it is it is not going to help security support at all because there will be 14,000 packages left and it's not such a big difference. I think that for the to find out which packages are not used anymore something good will be to our policy for example of not releasing or found packages this could force maintainers to adopt packages that are often because many of them are used and they could find maintainers even if this goes to some sort of load by non-release and I think that's something that we should discuss with the RISC team maybe. The RISC of a package should be ACAC packages I think I just want to say that if we if we are going to split the RISC make a universe in such a way that 20-30% of packages will remain in the RISC of the universe we shouldn't change anything because that users would say I need this, this, this, this I have to use the universe and I forget about this also the splitting of the universe is not to be used with this black and white but I think we must put the information easily to the users I think in some texts like this is one of the common ways to force 100 packages to force 1,000 packages and so I'm going to say I think going to speak up to what we have over the construction of the way We can sort by pop from now in package managers as long as people notice that they are that I believe the last 2 weeks that we have taken so we don't need to ask for it Yeah, that's what we confirmed that different archive suits are not suitable we can see that a bunch of which provide security support for about 10% of packages that they actually provide security support for while needed all the users are forced to include one application or the other so they're specifically quite if you're installing a services you'll need to always run to a situation where you have unsupported software sometimes if there's enough pressure from the user base unsupported universe directory that other than that I don't think that's a really good idea I think I want to clarify here about the situation with universe in Ubuntu and why they are doing that the main point why they are separating main from universe is that they have a company who promises to provide security support for main in fact there is security we have infrastructure to do security support in universe as well and I have already done some security uploads for universe but it's just lack of manpower and I think the main point why Ubuntu is separating is to make it very clear to the end user to say if you're enabling these repositories it is possible that you get packages for which you can't request commercial support from Canonical so this does not suit Debian very well I agree with that but if we want to have something similar to have some sort of two class society of packages we still need to provide our user some means to clearly say why you have these packages installed for which the security support is not able to give you support for which Debian is not having the resources to really care for them and I'm not sure how to make this perhaps you can integrate this in APT or have cash I have no idea but I really think if we say no we want not to this archive split which I agree that it's not very suitable to Debian we still need to think about some way to make it very clear which packages have our first class citizens and which packages are second class citizens absolutely think that it must be integrated because in some other ways if you install a package there should be a warning like now we support if the signature fails there should be a warning these packages don't have security support we really want to install them so I really think we need such an integration I will analyse that like one possibility to find a little bit what volatile is because it's like we have an upstream that doesn't want to provide us security support or even that don't want to support their previous session like we've seen recently with the young free business whatever these packages could be moved to volatile I mean like you have some PHP web apps that could very well shoot in volatile because they are like able to maintain a secret standpoint and I think it would be like quite a possible solution to try to move some packages and that but it will mean like adding like still adding volatile more integrating a little bit more closely in Debian we need a question in the Debian store to all users on the mobile and we will need also I think better well connective business on the web inside the mobile and we will have to also draw lines at some point and that's going to be the same as truly possible I think that well it should be only an option of IPT just like you just like you configure your sources that you can configure this option just to say it's an option in IPT IPT secret only and you just get yes to this value to this value for configuring IPT and every time and you try to install a package that is not supported by a security team just one you and ask you another question saying just like when you try to configure a package that is not signed you get a warning if you try to install a non-security supported package on your system as you have checked the solution just to give one more question at the configuration using the IBM installer and for people who have already something installed it's just one more option to RTC and if you like and if you don't. Another depth I could have personally depth I could have a looker would be all standard package package is now to use it and I would get a version of the quality because that would show some actually use it it's a metric to measure like that a package that we have often deployed I suppose I have a live login which doesn't require maybe uploads for three years and it turns out there's been nine policy updates none of which requires any changes in login do I have what date and new version of login just to change that version? There's a lot of information that's useful to developers probably not to the understanding user and we have developers who can probably look that up on the package page it could be useful to know if the standard version is old and there's been policy changes that affect that because you don't tell but it's not the car automatically so and if you can those are actually about it so that could be some writing that could be maybe in-game and in-game because it also has too many packages I guess I don't know so if we want to support some packages more to volatile probably needs to be in the forward sources list that is installed by the IE probably not uncommented should be commented out but currently I don't think that many users actually know that it exists and it's very underused I just looked and there are packages there but there's a lot to go to expand on just going back to the various suggestions of how you would measure how you would do have a how you would come up with support metrics I don't really think any of these are going to work I think it actually comes down to human judgment and I think a large part of it has to come from a package maintainer moderated by if a maintainer is not contactable then it's not supported I don't know I imagine a package where upstream is must be inactive for example I'm willing to fix any single bug that will be reported to me but I know that upstream is interesting to mention that the software anymore I don't know if that's a metric that is interesting to have for example I think it doesn't say anything at all in itself because for some packages you can say I'm the maintainer but I wouldn't be when I'm just not able to fix exotic bugs because I don't understand the software right now there are packages that I maintain I don't think I actually maintain them anymore but where I had no clue how they work but there were nobody else that wanted to maintain it and so I maintained it but the other packages if upstream vanishes it's not a big deal because you understand software just as well but it could be useful if you say I maintain this software and I fix packaging bugs but I can't really touch the code because I will break something so what we have said so far was down to there should be a way for the security team to clearly denote packages that they don't can't support anymore in stable and unstable you can just find an RC bug probably but and for often packages you have always the maintainer here so you can see the packages often but I don't know if this information can be actually tickles down from unstable so if it's often after release it will probably be useful to have this information available in stable packages and but the problem we haven't talked about much anymore is that we have a huge file of software in the archive where we don't know how it if it works or something like that so where the packages where we have the information it's a method of giving this information to the user but the other problem of getting the information is completely separate from that I just want to note if there's such a mechanism in place which knows where a feature is and that it wants that a package is unsupported will be very useful that could be that could not only be used for packages that we know to be unsupportable at the beginning of the release but also retroactively right now we have the situation that we are no longer able to support Mozilla in search because every four to six months there's a new Mozilla release which fixes up to four security problems and no other distribution besides Damian does backwards we did this in the final Mozilla update but the Mozilla maintainers were unable to actually find any testers or willing to test the package so we're no longer actually able to support it and we just put a note to the recent Mozilla advisers that it's no longer supported but I'm not sure how many of the users actually read this there are some conceptually broken features in our menu actually which allows you to install secure database unattended which does not work I wrote something new about it most people do not think you can so this will likely stay inside the new ad features which will even worse the whole problem even further so I think it will be quite good that such a mechanism could even be quite retroactively so that maybe I don't know if it's information that Damchex all stored inside the Damchex package it's in the package ok so a new Mozilla so for example a Mozilla would be discontinued we can just issue a new Mozilla package which includes a new Damchex that it's not supported it's having to override files you don't need to upload now I say this there's an override on the other hand the information may not be easy to attach to a specific version so the override file has package name there's no version information in it yeah but so currently it's like it applies to all suites old stable to unstable they have all the same text or is it by suite so has stable different override from testing the organizer uploaded to unstable they will go to testing make the stable release they will stay in ok so we don't have currently a way to change the depth text information in stable but you can edit the override for stable if needed but it's possible to make you don't have to ask the FTP master about it but this could be fixed by having to pay suites specific if that's the problem that for example a depth check no security support it would just create depth checks for no security support so I think that's much more so it boils down to we have to ask the FTP master how easy it is to be able to change that we can edit depth checks I was I took some notes so we've been talking about possibly how to generate the text like the package result and the main data kind of text media or we have been generated text like security support for this suit we could have tags introduced by the maintainer himself herself in the control file like I could declare in the control file this package is a fringe package or I could declare that upstream is dead or I could declare that upstream is dead but I will fix that those are all things that the maintainer can declare then someone can know that for example dead upstream but if he will fix that then maybe I can put it into production as long as I'm happy with the current feature list whereas if I instead hope that it will be better I may consider either becoming upstream or installing something else so that could help that could be some out of I don't mind putting a fringe tag in some of my packages I know they are and I maintain for both pages what's fringe story used by not many people maybe I don't know things for biology, meteorology of that kind because it's pure it's pure I think you know that I would just like to come back to the how to find packages that are trapped basically just have to find a list a source of information and get a scoring mechanism to say ok this one was not uploaded for the last two years so it gets once 10 pounds for example and if the package reaches 20 votes or something then you add it to a list of questionable packages and that you have to review but that's just something that can be automated that the review cannot get and that's quite I suggest you make a prototype for the alternation and look at it carefully because scoring are good when the price of a bad scoring is low but when the price you pay in case the scoring is bad is very high because you will have problem cases but then you have to review the package it's not about removing them automatically just to get the first list of what should be reviewed yes and at that point you might want to contact the maintainers or make a list of maintainers for packages that are possibly not properly maintained I won't do that myself but if someone has to pass that I already have to click on that I just want to know that another very useful check will be suited for local use only we've had a list of one case suited for local use only we've had at least one case for Edge where we had the option to either drop the package the case is Xquail Enter although there's a fork of the code base which might be the code base up in the foreseeable future the code version is not but I think it's a web-based double double-entry double-entry accounting system and I think it's completely fine to be glad that such a solution is not exposed to the untrusted public internet because if you run public access to your double-entry accounting you have the worst problem actually as well I'm not sure how many of the users actually read but readme.demu.security file but I think it's still fine because the typical field of the typical usage scenario for this package will only be local use anyway and I guess there are some other packages in the output which will come to such a time Would this be maintained by the security team or the security team? Yeah, by the security team but with the limitations that for example the view of the universal vulnerability which only affects a user scenario where you have an untrusted external tackle on untrusted person authenticated but it is secure to support but only for the same application scenario I'm not running out of time here so I have two other ideas for these facets one could be software development status like out of time beta stable, mature data stream data stream or F53 and what I don't know if that would be interesting but like a tag maintainer the maintainer is a user that the package is I don't know if that's clear because you know sometimes you just get a package on your hands but don't use it anymore but there's no one willing to use it and I think it's a lot better if the maintainer is a user of the I like this one because that allows you to maintain playground packages in unstable but at the moment they just migrate all the way to stable and at least with this type we could actually know that this is something intended for share it while developing instead of building it for a stable that's exactly what RFA is for like a request for adoption you can offer it for adoption without actually offering it so you should really file this bucket instead of just taking your package no but this is a development part, it's like alpha beta internet for production I meant the second one I don't use this package anymore so good point but if you don't want to release the statement you should find that a serious sort of a kind of test to be done for this so it's also possible for a lot of people that are doing this a lot of package ones in that statement we have very useful zero point statement version packages in stable bit more about this the maintainer can do that can't decide if you don't need a special type for that for packages that I'm not intended to go to a stable release maybe the best would be to upload to experimental but experimental no one's fine but could be the network there's no reason not to use it it's stupid to upload to unstable just to file a nasty bug so you know it's not intended for a stable release and this would help with the tagging that's why there's a lot of developers that are using I mean you look at that using a symbol because that's where you find the last version of the libraries I think experimental use is today quite safe because I think it's automatically pinned down by app unless you give the problem there are some problems with experimental like the built-in network exists but it's unofficial and for all arches it's reliable so there are still advantages of using unstable for such reasons I don't know I think the release team already suggests to people that they have such a bug for a long time open this package is not suitable for stable to move it to experimental but there might be cases where it's not suitable like for example it's good that ECC's snapshot is actually good that ECC's snapshot is unstable because there's this package where you really need builds for all architectures and you just don't get that in the next time that you let them out so just three inspections would be times not for production so far don't you know? Yeah but you really want to have the RC bug in an open agency because that's visible for developers right we maybe should continue this on Debbie and Gashdure I have some very short minutes of different ideas some are planning on coordinating touch activities or cost problem many be also that 12 of people have many ideas but not after that was not the time to actually implement them and keeping the interested persons together What would be the best way to ask to discuss this about the FTP about the tactics so so it's probably good to see them or something like that if we discuss this and really create it but so far most of these tags can actually just go to unstage them except for the security bugs there are things that change on security after stable is the least yet that is what we discuss with the FTP but I suppose it's kind of rare things happening Any way we have the time until many three's to implement such a no but what they mean is a change to a security tag in stable is probably an event that happens twice during the last time of FTP or in that case there's no space to be written it's just a new journey to the override part OK