Package Maintainer Application - Quentin Michaud
Hi everyone, My name is Quentin, or mh4ckt3mh4ckt1c4s/mh4ckwascut on the AUR and other Arch projects, and I'm applying to become a Package Maintainer. My application is sponsored by Robin Candau (Antiz) and Rémi Gacogne (rgacogne). I'm a graduated CS/networking engineer who is pursuing his studies as a PhD student in cybersecurity at the Institut Polytechnique de Paris, France (for the curious an abstract of the topic of my PhD is available here: https://theses.fr/s374883). I started programming in high school, and as I was more and more interested in "how computers work", I naturally started to tinker with Linux. After a little distro hopping, I wanted to dive more into the inner workings of a Linux distribution and Arch was the distro of choice. I fell in love with the rolling release, the always up-to-date packages, the wiki, and the AUR, among others. I now run Arch not only on my main laptop, but on my experimentation machines as well. I tried to go further, explored Gentoo and LFS, but I sticked with Arch as the distro allowing me to best tailor my computers to my needs while being fast and simple (who doesn't hate compilation times?). With the time I familiarized myself with the AUR, adopted a package I was using that was orphaned, and started submitting my own packages. I ended using a lot of little-used packages from the AUR, such as pentesting tools (for Capture The Flags) and fancy stuff related to my PhD. Most of these packages were orphaned or had bugs, and I started the habit of regularly looking for abandoned packages that I was using and picking them up on the AUR. A few times, I stumbled on outdated packages in the extra repo (ruby-iostruct and LLVM are the ones I remember), and I thought that if my beloved Arch was sometimes not up-to-date, maybe I could help and make Arch a little better. That's why I'm sending this mail today! Alongside packaging, I helped on other topics around Arch, such as becoming a package tester or improving a few articles in the wiki. Alongside Arch, I'm involved in OSS in general, contributing to various projects I use. All can be found on my GitHub and GitLab profiles, but big projects I have contributed to are LLVM, GitLab and YunoHost. When I'm not coding something or maintaining my homelab, I'm running or reading to clear my head. As a Package Maintainer, I would like to bring from my AUR packages to the extra repo podman-desktop, which I feel makes sense as podman and various related tools are already in extra, and a few WebAssembly packages such as wasi-tools. I also plan to merge my zaproxy-desktop package with zaproxy that is already in extra. As for the packages I can co-maintain, I would be happy to help with LLVM-related packages, or any other package that would need help and where I would be useful, like containerization or security tools. Relevant links: My AUR packages: https://aur.archlinux.org/packages?K=mh4ckwascut&SeB=m My GitHubs (perso and work): https://github.com/mh4ckt3mh4ckt1c4s and https://github.com/mh4ck-Thales GitLab: https://gitlab.com/mh4ckt3mh4ckt1c4s/ My personal website: https://www.mh4ckt3mh4ckt1c4s.xyz/ The YunoHost application I created and maintained for over a year: https://github.com/YunoHost-Apps/searxng_ynh My GitLab contributions: https://gitlab.com/gitlab-org/gitlab/-/merge_requests?scope=all&state=all&author_username=mh4ckt3mh4ckt1c4s My LLVM contributions: https://github.com/llvm/llvm-project/issues?q=involves%3Amh4ck-Thales Hoping that gives you a good introduction of myself and my motivations. Thanks for reading, cheers! Quentin
Dear Quentin, I wish you luck for your application. I'm just a Arch user with no background in security and I'm not really qualified to judge the application. So, this is a question rather than anything else. Your username is quite kind of obfuscated. My naive intuition tells me that this is bad security practice because it would be quite expensive and error-prone to verify if a user I've received a mail from is indeed you or someone who's username is slightly different from you. Is my intuition right or wrong? If wrong, why is it wrong? Thank you. -- Best Jayesh Badwaik Profile: https://www.fz-juelich.de/profile/badwaik_j Legal Notice: https://www.fz-juelich.de/en/legal-notice On Wednesday 24 July 2024 22:38:00 CEST mh4ckt3mh4ckt1c4s wrote:
Hi everyone,
My name is Quentin, or mh4ckt3mh4ckt1c4s/mh4ckwascut on the AUR and other Arch projects, and I'm applying to become a Package Maintainer. My application is sponsored by Robin Candau (Antiz) and Rémi Gacogne (rgacogne).
I'm a graduated CS/networking engineer who is pursuing his studies as a PhD student in cybersecurity at the Institut Polytechnique de Paris, France (for the curious an abstract of the topic of my PhD is available here: https://theses.fr/s374883).
I started programming in high school, and as I was more and more interested in "how computers work", I naturally started to tinker with Linux. After a little distro hopping, I wanted to dive more into the inner workings of a Linux distribution and Arch was the distro of choice. I fell in love with the rolling release, the always up-to-date packages, the wiki, and the AUR, among others. I now run Arch not only on my main laptop, but on my experimentation machines as well. I tried to go further, explored Gentoo and LFS, but I sticked with Arch as the distro allowing me to best tailor my computers to my needs while being fast and simple (who doesn't hate compilation times?).
With the time I familiarized myself with the AUR, adopted a package I was using that was orphaned, and started submitting my own packages. I ended using a lot of little-used packages from the AUR, such as pentesting tools (for Capture The Flags) and fancy stuff related to my PhD. Most of these packages were orphaned or had bugs, and I started the habit of regularly looking for abandoned packages that I was using and picking them up on the AUR.
A few times, I stumbled on outdated packages in the extra repo (ruby-iostruct and LLVM are the ones I remember), and I thought that if my beloved Arch was sometimes not up-to-date, maybe I could help and make Arch a little better. That's why I'm sending this mail today! Alongside packaging, I helped on other topics around Arch, such as becoming a package tester or improving a few articles in the wiki.
Alongside Arch, I'm involved in OSS in general, contributing to various projects I use. All can be found on my GitHub and GitLab profiles, but big projects I have contributed to are LLVM, GitLab and YunoHost. When I'm not coding something or maintaining my homelab, I'm running or reading to clear my head.
As a Package Maintainer, I would like to bring from my AUR packages to the extra repo podman-desktop, which I feel makes sense as podman and various related tools are already in extra, and a few WebAssembly packages such as wasi-tools. I also plan to merge my zaproxy-desktop package with zaproxy that is already in extra. As for the packages I can co-maintain, I would be happy to help with LLVM-related packages, or any other package that would need help and where I would be useful, like containerization or security tools.
Relevant links:
My AUR packages: https://aur.archlinux.org/packages?K=mh4ckwascut&SeB=m My GitHubs (perso and work): https://github.com/mh4ckt3mh4ckt1c4s and https://github.com/mh4ck-Thales GitLab: https://gitlab.com/mh4ckt3mh4ckt1c4s/ My personal website: https://www.mh4ckt3mh4ckt1c4s.xyz/ The YunoHost application I created and maintained for over a year: https://github.com/YunoHost-Apps/searxng_ynh My GitLab contributions: https://gitlab.com/gitlab-org/gitlab/-/merge_requests?scope=all&state=all&author_username=mh4ckt3mh4ckt1c4s My LLVM contributions: https://github.com/llvm/llvm-project/issues?q=involves%3Amh4ck-Thales
Hoping that gives you a good introduction of myself and my motivations. Thanks for reading, cheers!
Quentin
On 7/24/24 10:57 PM, Jayesh Badwaik wrote:
Dear Quentin,
I wish you luck for your application. I'm just a Arch user with no background in security and I'm not really qualified to judge the application. So, this is a question rather than anything else. Your username is quite kind of obfuscated. My naive intuition tells me that this is bad security practice because it would be quite expensive and error-prone to verify if a user I've received a mail from is indeed you or someone who's username is slightly different from you. Is my intuition right or wrong? If wrong, why is it wrong?
Thank you.
Hi, This is (one of the reason) why we require GPG signing. The username itself isn't bulletproof, but the GPG signature is ;) -- Regards, Robin Candau / Antiz
Thanks for the answer. :-) -- Best Jayesh Badwaik Profile: https://www.fz-juelich.de/profile/badwaik_j Legal Notice: https://www.fz-juelich.de/en/legal-notice On Thursday 25 July 2024 01:23:27 CEST Robin Candau wrote:
On 7/24/24 10:57 PM, Jayesh Badwaik wrote:
Dear Quentin,
I wish you luck for your application. I'm just a Arch user with no background in security and I'm not really qualified to judge the application. So, this is a question rather than anything else. Your username is quite kind of obfuscated. My naive intuition tells me that this is bad security practice because it would be quite expensive and error-prone to verify if a user I've received a mail from is indeed you or someone who's username is slightly different from you. Is my intuition right or wrong? If wrong, why is it wrong?
Thank you.
Hi,
This is (one of the reason) why we require GPG signing. The username itself isn't bulletproof, but the GPG signature is ;)
-- Regards, Robin Candau / Antiz
On 7/24/24 3:57 PM, Jayesh Badwaik wrote:
Dear Quentin,
I wish you luck for your application. I'm just a Arch user with no background in security and I'm not really qualified to judge the application. So, this is a question rather than anything else. Your username is quite kind of obfuscated. My naive intuition tells me that this is bad security practice because it would be quite expensive and error-prone to verify if a user I've received a mail from is indeed you or someone who's username is slightly different from you. Is my intuition right or wrong? If wrong, why is it wrong?
Thank you.
Very good point, Let's make sure it isn't an alias for Jia Tan... -- David C. Rankin, J.D.,P.E.
On 7/26/24 12:34 AM, David C. Rankin wrote:
On 7/24/24 3:57 PM, Jayesh Badwaik wrote:
Dear Quentin,
I wish you luck for your application. I'm just a Arch user with no background in security and I'm not really qualified to judge the application. So, this is a question rather than anything else. Your username is quite kind of obfuscated. My naive intuition tells me that this is bad security practice because it would be quite expensive and error-prone to verify if a user I've received a mail from is indeed you or someone who's username is slightly different from you. Is my intuition right or wrong? If wrong, why is it wrong?
Thank you.
Very good point,
Let's make sure it isn't an alias for Jia Tan...
Quentin actually uses the "mh4ckwascut" nickname on Arch side for most (e.g. on the AUR [1]), which I think is reasonably easy to process for people. Also, once again, a nickname/alias has never been a relevant proof of authenticity/identification contrary to other means meant for that, for instance GPG signing (which we require when submitting an application). The (nick)name I sign my mails with should not be what people should look for to prove my identity and could theoretically be changed at each messages without altering the authenticity of my GPG signature. Such an obfuscated nickname can indeed potentially be the source of technical complications for specific stuff but proving the authenticity of a mail is not one of them. Let's please stop with that *not so* "very good point" and focus on Quentin's application as a whole :) [1] https://aur.archlinux.org/account/mh4ckwascut -- Regards, Robin Candau / Antiz
On 7/24/24 10:38 PM, mh4ckt3mh4ckt1c4s wrote:
Hi everyone,
My name is Quentin, or mh4ckt3mh4ckt1c4s/mh4ckwascut on the AUR and other Arch projects, and I'm applying to become a Package Maintainer. My application is sponsored by Robin Candau (Antiz) and Rémi Gacogne (rgacogne). [...]
Hi Quentin, good luck for you application! I confirm my sponsorship. -- Regards, Robin Candau / Antiz
On 24/07/2024 22:38, mh4ckt3mh4ckt1c4s wrote:
My name is Quentin, or mh4ckt3mh4ckt1c4s/mh4ckwascut on the AUR and other Arch projects, and I'm applying to become a Package Maintainer. My application is sponsored by Robin Candau (Antiz) and Rémi Gacogne (rgacogne).
I confirm my sponsorship of Quentin! Greetings, Remi
On 7/25/24 9:24 AM, Remi Gacogne wrote:
On 24/07/2024 22:38, mh4ckt3mh4ckt1c4s wrote:
My name is Quentin, or mh4ckt3mh4ckt1c4s/mh4ckwascut on the AUR and other Arch projects, and I'm applying to become a Package Maintainer. My application is sponsored by Robin Candau (Antiz) and Rémi Gacogne (rgacogne).
I confirm my sponsorship of Quentin!
Greetings,
Remi
This marks the beginning of the discussion period which will conclude in two weeks on 2024-08-08. The voting will start on the same day and conclude on 2024-08-15. -- Regards, Robin Candau / Antiz
On 7/25/24 10:02 AM, Robin Candau wrote:
On 7/25/24 9:24 AM, Remi Gacogne wrote:
On 24/07/2024 22:38, mh4ckt3mh4ckt1c4s wrote:
My name is Quentin, or mh4ckt3mh4ckt1c4s/mh4ckwascut on the AUR and other Arch projects, and I'm applying to become a Package Maintainer. My application is sponsored by Robin Candau (Antiz) and Rémi Gacogne (rgacogne).
I confirm my sponsorship of Quentin!
Greetings,
Remi
This marks the beginning of the discussion period which will conclude in two weeks on 2024-08-08. The voting will start on the same day and conclude on 2024-08-15.
Kind reminder that the discussion period has 1 more week left. -- Regards, Robin Candau / Antiz
On 8/1/24 9:45 AM, Robin Candau wrote:
On 7/25/24 10:02 AM, Robin Candau wrote:
On 7/25/24 9:24 AM, Remi Gacogne wrote:
On 24/07/2024 22:38, mh4ckt3mh4ckt1c4s wrote:
My name is Quentin, or mh4ckt3mh4ckt1c4s/mh4ckwascut on the AUR and other Arch projects, and I'm applying to become a Package Maintainer. My application is sponsored by Robin Candau (Antiz) and Rémi Gacogne (rgacogne).
I confirm my sponsorship of Quentin!
Greetings,
Remi
This marks the beginning of the discussion period which will conclude in two weeks on 2024-08-08. The voting will start on the same day and conclude on 2024-08-15.
Kind reminder that the discussion period has 1 more week left.
Discussion period is over and the vote is live. Please cast your votes: https://aur.archlinux.org/package-maintainer/155 -- Regards, Robin Candau / Antiz
On 8/8/24 8:22 AM, Robin Candau wrote:
On 8/1/24 9:45 AM, Robin Candau wrote:
On 7/25/24 10:02 AM, Robin Candau wrote:
On 7/25/24 9:24 AM, Remi Gacogne wrote:
On 24/07/2024 22:38, mh4ckt3mh4ckt1c4s wrote:
My name is Quentin, or mh4ckt3mh4ckt1c4s/mh4ckwascut on the AUR and other Arch projects, and I'm applying to become a Package Maintainer. My application is sponsored by Robin Candau (Antiz) and Rémi Gacogne (rgacogne).
I confirm my sponsorship of Quentin!
Greetings,
Remi
This marks the beginning of the discussion period which will conclude in two weeks on 2024-08-08. The voting will start on the same day and conclude on 2024-08-15.
Kind reminder that the discussion period has 1 more week left.
Discussion period is over and the vote is live. Please cast your votes: https://aur.archlinux.org/package-maintainer/155
Kind reminder that the vote ends in a few days (2024-08-15). -- Regards, Robin Candau / Antiz
On 8/11/24 5:41 PM, Robin Candau wrote:
On 8/8/24 8:22 AM, Robin Candau wrote:
On 8/1/24 9:45 AM, Robin Candau wrote:
On 7/25/24 10:02 AM, Robin Candau wrote:
On 7/25/24 9:24 AM, Remi Gacogne wrote:
On 24/07/2024 22:38, mh4ckt3mh4ckt1c4s wrote:
My name is Quentin, or mh4ckt3mh4ckt1c4s/mh4ckwascut on the AUR and other Arch projects, and I'm applying to become a Package Maintainer. My application is sponsored by Robin Candau (Antiz) and Rémi Gacogne (rgacogne).
I confirm my sponsorship of Quentin!
Greetings,
Remi
This marks the beginning of the discussion period which will conclude in two weeks on 2024-08-08. The voting will start on the same day and conclude on 2024-08-15.
Kind reminder that the discussion period has 1 more week left.
Discussion period is over and the vote is live. Please cast your votes: https://aur.archlinux.org/package-maintainer/155
Kind reminder that the vote ends in a few days (2024-08-15).
The voting period has ended. Results: Yes No Abstain Total Participation 33 7 11 51 80.95% Congratulations Quentin, you are now officially accepted as a Package Maintainer! Please proceed with https://wiki.archlinux.org/title/Package_Maintainer_guidelines#TODO_list_for... I'll accompany you through the onboarding process :) -- Regards, Robin Candau / Antiz
mh4ckt3mh4ckt1c4s <mh4ckt3mh4ckt1c4s@protonmail.com> on Wed, 2024/07/24 20:38:
[...] I tried to go further, explored Gentoo and LFS, but I sticked with Arch as the distro allowing me to best tailor my computers to my needs while being fast and simple (who doesn't hate compilation times?). [...]
I have used both for some time, LFS and Gentoo. Switched to Arch to get rid of compiling my packages... And started doing so again. 😜 Crazy world. (Well, the big difference this time is that not only me is using these packages, but all members of Arch community. 😉) Good luck for your application! -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
On Thursday, July 25th, 2024 at 9:52 AM, Christian Hesse <list@eworm.de> wrote:
I have used both for some time, LFS and Gentoo. Switched to Arch to get rid of compiling my packages... And started doing so again. 😜 Crazy world.
(Well, the big difference this time is that not only me is using these packages, but all members of Arch community. 😉)
Ah ah! I have nothing against compiling things around, except when it's freezing my PC for 8 hours straight when I need it the most :-D I'd be more than happy to compile new things...
Good luck for your application!
Thanks!
main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
... Oh, a new thing to compile! Took me a little while to make it work, but I like it :-) Quentin
Ah ah! I have nothing against compiling things around, except when it's freezing
my PC for 8 hours straight when I need it the most :-D I'd be more than happy to compile new things...
Just a heads up that you would get access to our build server, and this would no longer be a worry. :) -- Best, Daniel <https://danielcapella.com>
Hello Quentin, On 24/07/2024 21:38, mh4ckt3mh4ckt1c4s wrote:
My name is Quentin, or mh4ckt3mh4ckt1c4s/mh4ckwascut on the AUR and other Arch projects, and I'm applying to become a Package Maintainer. My application is sponsored by Robin Candau (Antiz) and Rémi Gacogne (rgacogne). Good luck on the application [..] I would like to bring from my AUR packages to the extra repo podman-desktop
You are maintaining podman-desktop-bin. We rarely package binary packages if we can build the ones from source. Do you plan to build from source this?
I also plan to merge my zaproxy-desktop package with zaproxy that is already in extra. This is just an icon and a .desktop file - you can raise an MR already for it. As for the packages I can co-maintain, I would be happy to help with LLVM-related packages, or any other package that would need help and where I would be useful, like containerization or security tools. Sure - you can look at orphan first :)
A few comments on your PKGBUILDs from AUR
python-stegoveritas
The PKGBUILD seems to not follow the python packages guidelines [1]
|recon-ng |
This [2] is slightly confusing. It adds no value as far as I can tell as it doesn't change the default behaviour. Can you elaborate a bit on why this patch is needed?
python-spark-parser
This seems weird PKGBUILD. Using a split pattern for a non split package and not following python guidelines [1] [1]: https://wiki.archlinux.org/title/Python_package_guidelines [2]: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=recon-ng#n23 Cheers, -- Leonidas Spyropoulos Developer & DevOps PGP: 244740D17C7FD0EC
On 7/26/24 9:13 AM, Leonidas Spyropoulos wrote:
|recon-ng |
This [2] is slightly confusing. It adds no value as far as I can tell as it doesn't change the default behaviour. Can you elaborate a bit on why this patch is needed?
I'm the original author of the recon-ng opt-in-analytics patch, it changes the `analytics` setting from "default true" to "default false". By default, recon-ng generates a device ID in ~/.recon-ng/.cid and reports it to google analytics. https://github.com/lanmaster53/recon-ng/blob/470f4c1e290587adb7afb97e1f509a0... cheers, kpcyrd
On Friday, July 26th, 2024 at 9:13 AM, Leonidas Spyropoulos <artafinde@archlinux.org> wrote:
Good luck on the application
Thanks!
You are maintaining podman-desktop-bin. We rarely package binary packages if we can build the ones from source. Do you plan to build from source this?
Yes, it's already existing in the AUR as a source package. I'm just maintaining the -bin one to avoid build times that can be lengthy on this package, and I want to integrate podman-desktop into the AUR because I feel it would be a nice addition to the podman tools already present in extra.
I also plan to merge my zaproxy-desktop package with zaproxy that is already in extra.
This is just an icon and a .desktop file - you can raise an MR already for it.
You're right. I opened it here: https://gitlab.archlinux.org/archlinux/packaging/packages/zaproxy/-/merge_re...
python-stegoveritas
The PKGBUILD seems to not follow the python packages guidelines [1]
Thanks for the info. I'll fix the source and the other little things that are wrong.
|recon-ng
|
This [2] is slightly confusing. It adds no value as far as I can tell as it doesn't change the default behaviour. Can you elaborate a bit on why this patch is needed?
As kpcyrd said, this patch removes tracking that is enabled by default in upstream. I left it because I agree with the goal of the patch. More generally, it seems that the developer of recon-ng switched to a rolling-release model, making this package obsolete. It is still working but will probably not be updated anymore, and I'm considering to remove it and replace it by a -git package.
python-spark-parser
This seems weird PKGBUILD. Using a split pattern for a non split package and not following python guidelines [1]
Indeed, this package was originally splitted, but I remove the deprecated python2 subpackage and I missed some cleaning. I'll fix that too. Thanks for your feedbacks! Cheers Quentin
participants (9)
-
Christian Hesse
-
Daniel M. Capella
-
David C. Rankin
-
Jayesh Badwaik
-
kpcyrd
-
Leonidas Spyropoulos
-
mh4ckt3mh4ckt1c4s
-
Remi Gacogne
-
Robin Candau