Hi again, So I updated xrootd and pythia and submitted the relevant deletion requests. Now, can I get some package reviews? Thanks. Regards, Konstantin On Fri, Mar 17, 2017 at 9:33 PM, Eli Schwartz via aur-general < aur-general@archlinux.org> wrote:
On 03/17/2017 02:17 PM, Konstantin Gizdov wrote:
Hi Eli and Sebastian,
OK, I see the orphan request got approved. Certainly, wasn't looking to draw outrage, but get advice on what the appropriate action. I will update the relevant pythia, xrootd and submit deletion request myself for the others.
Thanks for fixing this yourself. It was less about outrage and more about being extra-emphatic about what is and isn't appropriate. :)
I save the outrage/abuse for people who have already been told what the right thing is, and refuse to listen. Everyone makes mistakes, and that is generally okay as long as it was done in good faith and, upon realizing the mistake, fixing it.
As to the package signing, I already know how to detach sign. I also know about the source signing. What is not clear to me is repo-add --sign. The docs say it will update 'the package database'. Which package database? Does AUR keep such info? I though that was for Trusted Users and official repos.
What I want to do is essentially to provide a convenient way for people to build or directly download pre-built packages, if they choose to, and be able to verify them, without too much hassle. What do you recommend? Should I just make a *-bin version on AUR with my signature and detach sign the binaries on my own repo? I thought this was also not the AUR way?
Could I get someone's workflow for signed packages as an example?
No, this is entirely separate from the AUR. See the Wiki page for "Unofficial user repositories".
Various members of the community host their own prebuilt packages on their personal servers or whatever, for example, AUR packages that they use and want to sync on multiple computers, or something that takes a long compile time and they want to offer in addition to the AUR package.
`repo-add --sign` will allow you to generate a pacman-compatible sync repository that can be copied/rsynced to your personal server and then added to pacman.conf to download from your server, while signing the database itself (it is ideal to sign both the packages, via `makepkg --sign`, and the sync database itself).
-- Eli Schwartz