On Jan 24, 2024, at 11:07 PM, Miroslav Suchý <msuchy@xxxxxxxxxx> wrote: > During my work on SPDX migration I filed hundreds of pull request and as part of that work I always check if there is > already open PRs for a package. > > It surprised me how many packages has open PR. I understand when there is open PR with blocker or ongoing discussion. > But I have seen PRs that are open for year+ without any comment from anyone. This is something that has also caused some amount of frustration amongst the Amazon Linux team and can end up as a pretty large de-motivator for contributing changes back to Fedora. The context switching back to a long time ago, and then likely having to re-adapt your changes can certainly lead to choosing the path of not submitting the change as it’s less hassle. Is a possible solution to tweak how/what provenpackagers can/do do, and perhaps surface at a higher level what the global list of “pull requests without comments for a month” and “open pull requests mentioning CVE or the word security”? Have it be more of a common pattern to have provenpackagers ack and merge CRs across the board? Perhaps some tweaking around SIGs so that experts in the ecosystem in question are looking at CRs there? We have a similar-ish model to how we maintain packages in Amazon Linux internally - the key being to avoid SPoF in knowledge, and to enable us to move fast when needed (e.g. getting an important security update out to customers). -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
