Hello Carsten, On Mon, 17 Jul 2023 at 11:41 Carsten Haitzler <raster@archlinux.org> wrote:
On Mon, 17 Jul 2023 10:44:37 +0300 Tomaz Canabrava <tcanabrava@kde.org> said:
On Mon, 17 Jul 2023 at 10:25 Jonathan Steel <jsteel@archlinux.org> wrote:
On Sun 16 Jul 2023 at 15:37, Tomaz Canabrava wrote:
I have experience with packaging (debian, for work) but not on arch, but it’s shell and that thing I can handle :)
Why not show this by maintaining some air packages?
Mostly because there is nothing in aur that I use that lacks a maintainer. But I do have a software that is not packaged yet that I can port to aur.
This is not gpg signed and I’m sorry for that, but gian and Antonio can also vouch for me as the validity of this email.
Why is it not signed?
Because I don’t have a gpg key, and when the dkim features on the email already are enough to validate that the email I send is from me.
I think you should read https://wiki.archlinux.org/title/Trusted_Users
and
re-submit a signed application showing the minimum requirements are met.
I have read the wiki and I have applied to a packager position following the wiki rules or explaining why I didn’t follow a part of it, i won’t re-apply because that’s a waste of everyone’s time just for the sake of ticking boxes.
Summary: - [x] known on the opensource community with multiple, and used, programs - [x] packaging experience - [ ] aur / arch package experience - [x] contributes directly to upstream - [ ] signed the mail with gpg
Then I would reject your application as you don't plan to re-try with a PGP key and don't even have one.
A PGP key is used to show that it was YOU and not someone else that signed a package is a basic requirement of maintaining packages on Arch. That has nothing to do with dkim or email. You'll need a PGP key for other things and if you don't have one, you can't maintain packages. Signing your email with a PGP key at least shows you have one and can use it for some basic things. As you're clear you don't have one and have no intention of showing you do by re-applying with a signed email I can't see how you would be able to maintain packages.
In addition, you don't have any packaging experience on Arch. The first step is AUR. Get your feet wet somewhere that is simpler like AUR. I would suggest you get some experience there first before you have to deal with submitting community etc. packages that actually have more layers of work to be done over and above what AUR needs, so AUR "work" is like learning the first 50% of what is needed.
I think it'd be great if you did arrange to have a PGP key, showed us you have one by signing an application after you've done some AUR packaging for a bit.
This is what I did - I maintained some AUR packages for a while then expanded the number I work on and eventually applied to maintain more "core" packages because I too an am upstream.
I'm not one of these "I must PGP sign everything" people. I'm not that security-focused about my utterances by e-mail, but I do see the point of it for packaging and I jumped through the hoops to deal with it.
I get your feeling of "Why bother - it's just an email", but it's a necessary component in the packaging pipeline and ecosystem. You're not expected to be some PGP guru. You're just expected to be able to sign some package to say it was you that packaged it an that requires you do "jump through some hoops" at this stage. I hope you'll reconsider.
That’s completely understandable. Today I’ll create an aur component for Codevis, a software to visualize large architectures Im developing for the past three years (that just got opensourced) And I’ll also create a GPG key, and sign some email on this thread with it. Best, Tomaz
-- Carsten Haitzler <raster@archlinux.org>