Hello Carsten,

On Mon, 17 Jul 2023 at 11:41 Carsten Haitzler <raster@archlinux.org> wrote:

On Mon, 17 Jul 2023 10:44:37 +0300 Tomaz Canabrava <tcanabrava@kde.org> said:

> On Mon, 17 Jul 2023 at 10:25 Jonathan Steel <jsteel@archlinux.org> wrote:
>
> > On Sun 16 Jul 2023 at 15:37, Tomaz Canabrava wrote:
> > > I have experience with packaging (debian, for work) but not on arch, but
> > > it’s shell and that thing I can handle :)
> >
> > Why not show this by maintaining some air packages?
>
>
> Mostly because there is nothing in aur that I use that lacks a maintainer.
> But I do have a software that is not packaged yet that I can port to aur.
>
>
>
> > > This is not gpg signed and I’m sorry for that, but gian and Antonio can
> > > also vouch for me as the validity of this email.
> >
> > Why is it not signed?
>
>
> Because I don’t have a gpg key, and when the dkim features on the email
> already are enough to validate that the email I send is from me.
>
>
> >
> > I think you should read https://wiki.archlinux.org/title/Trusted_Users and
> > re-submit a signed application showing the minimum requirements are met.
>
>
> I have read the wiki and I have applied to a packager position following
> the wiki rules or explaining why I didn’t follow a part of it, i won’t
> re-apply because that’s a waste of everyone’s time just for the sake of
> ticking boxes.
>
> Summary:
>  - [x] known on the opensource community with multiple, and used, programs
> - [x] packaging experience
> - [ ] aur / arch package experience
> - [x] contributes directly to upstream
> - [ ] signed the mail with gpg

Then I would reject your application as you don't plan to re-try with a PGP key
and don't even have one.

A PGP key is used to show that it was YOU and not someone else that signed a
package is a basic requirement of maintaining packages on Arch. That has
nothing to do with dkim or email. You'll need a PGP key for other things and if
you don't have one, you can't maintain packages. Signing your email with a PGP
key at least shows you have one and can use it for some basic things. As you're
clear you don't have one and have no intention of showing you do by re-applying
with a signed email I can't see how you would be able to maintain packages.

In addition, you don't have any packaging experience on Arch. The first step
is AUR. Get your feet wet somewhere that is simpler like AUR. I would suggest
you get some experience there first before you have to deal with submitting
community etc. packages that actually have more layers of work to be done over
and above what AUR needs, so AUR "work" is like learning the first 50% of what
is needed.

I think it'd be great if you did arrange to have a PGP key, showed us you have
one by signing an application after you've done some AUR packaging for a bit.

This is what I did - I maintained some AUR packages for a while then expanded
the number I work on and eventually applied to maintain more "core" packages
because I too an am upstream.

I'm not one of these "I must PGP sign everything" people. I'm not that
security-focused about my utterances by e-mail, but I do see the point of it
for packaging and I jumped through the hoops to deal with it.

I get your feeling of "Why bother - it's just an email", but it's a necessary
component in the packaging pipeline and ecosystem. You're not expected to be
some PGP guru. You're just expected to be able to sign some package to say it
was you that packaged it an that requires you do "jump through some hoops" at
this stage. I hope you'll reconsider.

That’s completely understandable.

 Today I’ll create an aur component for Codevis, a software to visualize large architectures Im developing for the past three years (that just got opensourced)

And I’ll also create a GPG key, and sign some email on this thread with it. 

Best,

Tomaz 

--
Carsten Haitzler <raster@archlinux.org>