[aur-general] TU Application - blakkheim
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello. I'd like to apply to become a trusted user. I started using Arch around 2009 when we still had the curses installer, rc.conf, hal... the good old days. I left at some point and came back as a full-time user about three years ago. You can find me on IRC under the name blakkheim, usually in #archlinux-security since that's my main area of interest. I'm the maintainer or co-maintainer for a few OpenBSD-derived packages in the AUR: openiked, rpki-client, and openbgpd. I've been involved with OpenBSD since 2014 and became a project committer there in early 2016. In the last two years I've submitted just over 150 patches to the Arch bug tracker: https://bugs.archlinux.org/index.php?opened=32638&status[]= Some community packages I'd like to co-maintain are openntpd, opensmtpd, libressl, sndio, mandoc, signify, dnscrypt-proxy, bmake, scrot, firejail, xcalib, mktorrent, parallel, ncmpcpp... And more (frankly, lots more) in the core/extra repos if that option opens up in the future. I keep up with many software projects via their mailing lists and RSS/atom feeds. If I'm accepted, one of my goals will be to get missing security fixes into Arch's repository shortly after their upstream release. The sponsors of my application are dvzrv, kpcyrd, and anthraxx. (yep, three) -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQRUwf0nM2HqUUojd5Pylr3lA2jGzgUCYvuMwwAKCRDylr3lA2jG zvh9AQDOvEQbJdu3vfoPUY+Q+amtiwOatfD7nHje2XcviXF82gD/SL2aw0SNm9/Q sxcT+MltS0EoPTyR+OwOU9lHkpyuFQw= =4mzL -----END PGP SIGNATURE-----
On 2022-08-16 08:30:48 (-0400), T.J. Townsend via aur-general wrote:
Hello. I'd like to apply to become a trusted user.
I started using Arch around 2009 when we still had the curses installer, rc.conf, hal... the good old days. I left at some point and came back as a full-time user about three years ago. You can find me on IRC under the name blakkheim, usually in #archlinux-security since that's my main area of interest.
I'm the maintainer or co-maintainer for a few OpenBSD-derived packages in the AUR: openiked, rpki-client, and openbgpd. I've been involved with OpenBSD since 2014 and became a project committer there in early 2016.
In the last two years I've submitted just over 150 patches to the Arch bug tracker: https://bugs.archlinux.org/index.php?opened=32638&status[]=
Some community packages I'd like to co-maintain are openntpd, opensmtpd, libressl, sndio, mandoc, signify, dnscrypt-proxy, bmake, scrot, firejail, xcalib, mktorrent, parallel, ncmpcpp...
And more (frankly, lots more) in the core/extra repos if that option opens up in the future. I keep up with many software projects via their mailing lists and RSS/atom feeds. If I'm accepted, one of my goals will be to get missing security fixes into Arch's repository shortly after their upstream release.
The sponsors of my application are dvzrv, kpcyrd, and anthraxx. (yep, three)
I confirm my sponsorship. Best, David -- https://sleepmap.de
Hi! I wonder, do you have an AUR account we could peruse? Cheers! -Santiago On Tue, Aug 16, 2022 at 08:30:48AM -0400, T.J. Townsend via aur-general wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hello. I'd like to apply to become a trusted user.
I started using Arch around 2009 when we still had the curses installer, rc.conf, hal... the good old days. I left at some point and came back as a full-time user about three years ago. You can find me on IRC under the name blakkheim, usually in #archlinux-security since that's my main area of interest.
I'm the maintainer or co-maintainer for a few OpenBSD-derived packages in the AUR: openiked, rpki-client, and openbgpd. I've been involved with OpenBSD since 2014 and became a project committer there in early 2016.
In the last two years I've submitted just over 150 patches to the Arch bug tracker: https://bugs.archlinux.org/index.php?opened=32638&status[]=
Some community packages I'd like to co-maintain are openntpd, opensmtpd, libressl, sndio, mandoc, signify, dnscrypt-proxy, bmake, scrot, firejail, xcalib, mktorrent, parallel, ncmpcpp...
And more (frankly, lots more) in the core/extra repos if that option opens up in the future. I keep up with many software projects via their mailing lists and RSS/atom feeds. If I'm accepted, one of my goals will be to get missing security fixes into Arch's repository shortly after their upstream release.
The sponsors of my application are dvzrv, kpcyrd, and anthraxx. (yep, three)
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQRUwf0nM2HqUUojd5Pylr3lA2jGzgUCYvuMwwAKCRDylr3lA2jG zvh9AQDOvEQbJdu3vfoPUY+Q+amtiwOatfD7nHje2XcviXF82gD/SL2aw0SNm9/Q sxcT+MltS0EoPTyR+OwOU9lHkpyuFQw= =4mzL -----END PGP SIGNATURE-----
On Tue, Aug 16, 2022 at 09:59:57AM -0400, Santiago Torres-Arias wrote:
Hi!
I wonder, do you have an AUR account we could peruse?
Cheers! -Santiago
Here it is: https://aur.archlinux.org/account/blakkheim
On 8/16/22 14:30, T.J. Townsend via aur-general wrote:
Hello. I'd like to apply to become a trusted user.
I started using Arch around 2009 when we still had the curses installer, rc.conf, hal... the good old days. I left at some point and came back as a full-time user about three years ago. You can find me on IRC under the name blakkheim, usually in #archlinux-security since that's my main area of interest.
I'm the maintainer or co-maintainer for a few OpenBSD-derived packages in the AUR: openiked, rpki-client, and openbgpd. I've been involved with OpenBSD since 2014 and became a project committer there in early 2016.
In the last two years I've submitted just over 150 patches to the Arch bug tracker: https://bugs.archlinux.org/index.php?opened=32638&status[]=
Some community packages I'd like to co-maintain are openntpd, opensmtpd, libressl, sndio, mandoc, signify, dnscrypt-proxy, bmake, scrot, firejail, xcalib, mktorrent, parallel, ncmpcpp...
And more (frankly, lots more) in the core/extra repos if that option opens up in the future. I keep up with many software projects via their mailing lists and RSS/atom feeds. If I'm accepted, one of my goals will be to get missing security fixes into Arch's repository shortly after their upstream release.
The sponsors of my application are dvzrv, kpcyrd, and anthraxx. (yep, three)
I confirm my sponsorship, I've attached a signed response to this mail. cheers, kpcyrd
On 2022-08-16 08:30, T.J. Townsend via aur-general wrote:
I started using Arch around 2009 when we still had the curses installer, rc.conf, hal... the good old days.
That was all awful and I much prefer the way things are now. :)
On 8/16/22 14:30, T.J. Townsend via aur-general wrote:
Hello. I'd like to apply to become a trusted user.
I started using Arch around 2009 when we still had the curses installer, rc.conf, hal... the good old days. I left at some point and came back as a full-time user about three years ago. You can find me on IRC under the name blakkheim, usually in #archlinux-security since that's my main area of interest.
I'm the maintainer or co-maintainer for a few OpenBSD-derived packages in the AUR: openiked, rpki-client, and openbgpd. I've been involved with OpenBSD since 2014 and became a project committer there in early 2016.
In the last two years I've submitted just over 150 patches to the Arch bug tracker: https://bugs.archlinux.org/index.php?opened=32638&status[]=
Some community packages I'd like to co-maintain are openntpd, opensmtpd, libressl, sndio, mandoc, signify, dnscrypt-proxy, bmake, scrot, firejail, xcalib, mktorrent, parallel, ncmpcpp...
And more (frankly, lots more) in the core/extra repos if that option opens up in the future. I keep up with many software projects via their mailing lists and RSS/atom feeds. If I'm accepted, one of my goals will be to get missing security fixes into Arch's repository shortly after their upstream release.
The sponsors of my application are dvzrv, kpcyrd, and anthraxx. (yep, three)
I also confirming my sponsorship. A race condition lead to the off by one :p cheers, Levente
On 2022-08-16 08:30:48 (-0400), T.J. Townsend via aur-general wrote:
Hello. I'd like to apply to become a trusted user.
Hi all, this is a short reminder that more than a week has passed since the application process has started. If you want to ask questions, you still have until the 30th! Please make use of that time. Best, David -- https://sleepmap.de
On Tue, Aug 16, 2022 at 08:30:48AM -0400, T.J. Townsend via aur-general wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hello. I'd like to apply to become a trusted user.
hello T.J.
I started using Arch around 2009 when we still had the curses installer, rc.conf, hal... the good old days. I left at some point and came back as a full-time user about three years ago. You can find me on IRC under the name blakkheim, usually in #archlinux-security since that's my main area of interest.
I'm the maintainer or co-maintainer for a few OpenBSD-derived packages in the AUR: openiked, rpki-client, and openbgpd. I've been involved with OpenBSD since 2014 and became a project committer there in early 2016.
you don't have many packages, and it was hard for me to find something for nitpicking, but I still managed. # openiked depends=('glibc' 'libevent' 'openssl') it's hard to imagine a system without glibc installed, but I've seen the same packages in our repositories. so it's ok. makedepends=('linux-headers' 'bison' 'cmake') 'bison' is in base-devel group so no need to include it here.
In the last two years I've submitted just over 150 patches to the Arch bug tracker: https://bugs.archlinux.org/index.php?opened=32638&status[]=
oh this is very cool.
Some community packages I'd like to co-maintain are openntpd, opensmtpd, libressl, sndio, mandoc, signify, dnscrypt-proxy, bmake, scrot, firejail, xcalib, mktorrent, parallel, ncmpcpp...
And more (frankly, lots more) in the core/extra repos if that option opens up in the future. I keep up with many software projects via their mailing lists and RSS/atom feeds. If I'm accepted, one of my goals will be to get missing security fixes into Arch's repository shortly after their upstream release.
The sponsors of my application are dvzrv, kpcyrd, and anthraxx. (yep, three)
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQRUwf0nM2HqUUojd5Pylr3lA2jGzgUCYvuMwwAKCRDylr3lA2jG zvh9AQDOvEQbJdu3vfoPUY+Q+amtiwOatfD7nHje2XcviXF82gD/SL2aw0SNm9/Q sxcT+MltS0EoPTyR+OwOU9lHkpyuFQw= =4mzL -----END PGP SIGNATURE-----
-- Sincerely, Alexander | Trusted User
hello T.J.
you don't have many packages, and it was hard for me to find something for nitpicking, but I still managed.
# openiked depends=('glibc' 'libevent' 'openssl') it's hard to imagine a system without glibc installed, but I've seen the same packages in our repositories. so it's ok.
It can be a little confusing for new users because the tooling will print warnings about this: openiked W: Dependency glibc included but already satisfied openiked W: Dependency openssl included but already satisfied But Arch's packaging policy says "Do not rely on transitive dependencies in any of the PKGBUILD#Dependencies, as they might break if one of the dependencies is updated." These two things seem to be in conflict with each other, so I went with the policy statement as the deciding rule.
makedepends=('linux-headers' 'bison' 'cmake') 'bison' is in base-devel group so no need to include it here.
I can remove that, but it also sounds like a transitive dependency. Is base-devel an exception? Maybe the documentation on this issue could be clarified a bit.
In the last two years I've submitted just over 150 patches to the Arch bug tracker: https://bugs.archlinux.org/index.php?opened=32638&status[]=
oh this is very cool.
(They've probably gotten sick of seeing my name in those bug report emails by now, huh?) Anyway, I appreciate your input.
It can be a little confusing for new users because the tooling will print warnings about this:
openiked W: Dependency glibc included but already satisfied openiked W: Dependency openssl included but already satisfied
But Arch's packaging policy says "Do not rely on transitive dependencies in any of the PKGBUILD#Dependencies, as they might break if one of the dependencies is updated."
These two things seem to be in conflict with each other, so I went with the policy statement as the deciding rule. Sure, but the issue is that 'glibc' is in the 'base' group that will exist on any Arch Linux install. There is a bit of debate whether we include these or not. Most people normally do not as it's a given on any system. In any case, 'glibc' is not really a transitive dependency in
On 25/08/2022 18:08, T.J. Townsend via aur-general wrote: that sense.
makedepends=('linux-headers' 'bison' 'cmake') 'bison' is in base-devel group so no need to include it here.
I can remove that, but it also sounds like a transitive dependency. Is base-devel an exception? Maybe the documentation on this issue could be clarified a bit. Again, this is specific to the build tools. 'makedepends' is meant for dependencies needed for building the package only and not at runtime. Therefore, when you are building the package you are guaranteed to have 'base-devel' group installed. So it's not needed and sometimes frowned upon to include these packages in makedepends.
The general idea behind all this is that these arrays should include only things that are not already guaranteed to exist for minimalism, tidiness, reducing confusion when someone reads your PKGBUILD, maintainability and so on. And you do kinda start to pick up on these with experience because once in a blue moon they do break your stuff and you remember it. :) -- Regards, Konstantin
On 8/25/22 17:40, Konstantin Gizdov via aur-general wrote:
It can be a little confusing for new users because the tooling will print warnings about this:
openiked W: Dependency glibc included but already satisfied openiked W: Dependency openssl included but already satisfied
But Arch's packaging policy says "Do not rely on transitive dependencies in any of the PKGBUILD#Dependencies, as they might break if one of the dependencies is updated."
These two things seem to be in conflict with each other, so I went with the policy statement as the deciding rule. Sure, but the issue is that 'glibc' is in the 'base' group that will exist on any Arch Linux install. There is a bit of debate whether we include these or not. Most people normally do not as it's a given on any system. In any case, 'glibc' is not really a transitive dependency in
On 25/08/2022 18:08, T.J. Townsend via aur-general wrote: that sense.
I'd disagree here. I do not like to threat a hand full of packages any special just because its virtually impossible to run a system without. Its a much easier and better model to declare all primary runtime dependencies. Glibc is only special because its glibc, not because its in base. The 'base' meta package is a meta package for a reason. It can change at any point in time reflecting what we currently declare as a base minimum for a system to be called "Arch Linux". It's quite a bad trade trying to spend a couple of less characters in an depends array when this base package may theoretically change at any point in time -- which should not lead to any packaged need any adjustments. In that sense glibc is only special because you won't in fact run a system without glibc. Either way my stance is easy: There is no reason trying to declare any packages as special in terms of not needing to declare them. It brings up the burden to remember or argue while in fact it brings absolutely no advantages to omit it -- but on the other hand potential scenarios where it creates issues. Hence just declare whatever the package actually needs and call it a day. I'd say that sounds more like keeping is simple stupid. cheers, Levente
On 16/08/2022 15:30, T.J. Townsend via aur-general wrote:
Hello. I'd like to apply to become a trusted user.
I'm the maintainer or co-maintainer for a few OpenBSD-derived packages in the AUR: openiked, rpki-client, and openbgpd. I've been involved with OpenBSD since 2014 and became a project committer there in early 2016.
In the last two years I've submitted just over 150 patches to the Arch bug tracker: https://bugs.archlinux.org/index.php?opened=32638&status[]= Many of these patches and bugs are switching to https and signed commits and given the limited AUR packages (3) you are involved as maintainer / co-maintaner I don't see a lot of PKGBUILDs to have a view on your
Hi T.J. First of all best of luck! packaging history.
Some community packages I'd like to co-maintain are openntpd, opensmtpd, libressl, sndio, mandoc, signify, dnscrypt-proxy, bmake, scrot, firejail, xcalib, mktorrent, parallel, ncmpcpp...
Some of these are with a sole maintainer which is great since they could be busy +1
And more (frankly, lots more) in the core/extra repos if that option opens up in the future. [..] If I'm accepted, one of my goals will be to get missing security fixes into Arch's repository shortly after their upstream release.
What stops you from opening bug report and submitting patches for those now without being a TU? If these are in core/extras your options would be the same as you have now, right? Cheers, Leonidas
On Thu, Aug 25, 2022 at 08:43:38PM +0300, Leonidas Spyropoulos via aur-general wrote:
I'm the maintainer or co-maintainer for a few OpenBSD-derived packages in the AUR: openiked, rpki-client, and openbgpd. I've been involved with OpenBSD since 2014 and became a project committer there in early 2016.
In the last two years I've submitted just over 150 patches to the Arch bug tracker: https://bugs.archlinux.org/index.php?opened=32638&status[]=
Many of these patches and bugs are switching to https and signed commits and given the limited AUR packages (3) you are involved as maintainer / co-maintaner I don't see a lot of PKGBUILDs to have a view on your packaging history.
Supply chain attacks are an area of interest for me, so getting more of our packages to use secure downloads and PGP verification has been one of my main focuses so far. When I first started building Arch packagees, I did a fairly deep dive into the repositories to find anything that was being pulled over HTTP or unencrypted git:// links. Some of the added PGP verification has been a result of me convincing the upstream projects to use it consistently. I think it's an effort worth pursuing. My use of the AUR is somewhat limited, but the PKGBUILDs there should give you a general idea of my familiarity.
Some community packages I'd like to co-maintain are openntpd, opensmtpd, libressl, sndio, mandoc, signify, dnscrypt-proxy, bmake, scrot, firejail, xcalib, mktorrent, parallel, ncmpcpp...
Some of these are with a sole maintainer which is great since they could be busy +1
I tried to pick ones with two or fewer maintainers. There are some others I'd be glad to co-maintain, but didn't feel like it was necessary when they had more than two maintainers already.
And more (frankly, lots more) in the core/extra repos if that option opens up in the future. [..] If I'm accepted, one of my goals will be to get missing security fixes into Arch's repository shortly after their upstream release.
What stops you from opening bug report and submitting patches for those now without being a TU? If these are in core/extras your options would be the same as you have now, right?
As far as core/extra repos go, yes, I'll still be stuck submitting missing security fixes through the bugtracker for the time being. My hope is to one day gain access to those through becoming a developer, at which time I can get a lot more work done and make a bigger positive impact. Becoming a TU would be a good first step in that process though. Thanks for your reply.
On 2022-08-16 08:30:48 (-0400), T.J. Townsend via aur-general wrote:
Hello. I'd like to apply to become a trusted user.
The discussion period is now over. Thanks to all participants! I have started a vote [1] which will end 2022-09-06 17:30 (CEST). Best, David [1] https://aur.archlinux.org/tu/139 -- https://sleepmap.de
@TUs: less than 2 days left, please cast your votes on the new TU application https://aur.archlinux.org/tu/139 cheers, Levente
On 8/16/22 14:30, T.J. Townsend via aur-general wrote:
Hello. I'd like to apply to become a trusted user.
...
The voting period has ended. Yes 34 No 4 Abstain 15 Total 53 Participation 86.89% Result: Accepted Congratulations, you are now officially accepted as TU. cheers, Levente
participants (9)
-
Alexander Epaneshnikov
-
Brett Cornwall
-
David Runge
-
Konstantin Gizdov
-
kpcyrd
-
Leonidas Spyropoulos
-
Levente Polyak
-
Santiago Torres-Arias
-
T.J. Townsend