On Tue, May 11, 2021 at 08:28:24AM -0400, Lukas Fleischer wrote:
Hi Morten,
Thanks for the summary.
Yoo! Thanks for explaining :)
On Mon, 10 May 2021 at 13:31:13, Morten Linderud via arch-dev-public wrote:
Why was this removed with no headsup? It caused a fair bit of confusion for a few people and the cause of this issue isn't very clear when packaged fail to verify. Ideally we should have pushed gnupg with an epoch?
I removed the package after Jan informed me yesterday that the package is broken. Apologies for not making a public announcement; I should have send an email to our mailing lists.
No worries. People started bugging me on IRC and there is now a thread on the subreddit as well. I thought I'd just send one before people started sending me personal emails about some weird conspiracies about compromised signing keys :p
The package has two undocumented patches, one to remove a warning and another one that's required for pacman. I was not aware that pacman required a patched version of GnuPG and will work on porting/rebasing and documenting the patches before pushing a new build.
Thanks! But it's probably a few more changes with the signing UIDs we need to account for. I believe Santiago and/or Jonas can explain but it would probably be better to share the package on the mailing list or throw it into staging so we can look at it before it enters testing.
When it comes to pushing with epoch, my understanding was that it is expected that packages break occasionally in [testing] and might get dropped. The recommendation for all [testing] users used to be to subscribe to arch-dev-public where dropped packages are (or at least should be) announced. Do we want to provide upgrade paths for broken packages in [testing]?
I'm not sure about if we traditionally drop packages from testing or do an epoch. I might be wrong and developers probably have a stronger opinion. Ideally testers should follow arch-dev-public closely. I thought it was mentioned somewhere but it apparently hasn't been on the testing team wikipage. NetSysFire has added a note for it :) https://wiki.archlinux.org/title/Arch_Testing_Team Thanks! -- Morten Linderud PGP: 9C02FF419FECBE16