On 19/02/11 22:55, Daniel Mendler wrote:
Hi Allan
I will repeat myself again... Patches for pacman do bugger all for getting signatures into Arch Linux repos. Patches for the Arch Linux devtools/db-scripts packages are needed.
Well, Pierre says the same for pacman. Someone has to take the first initiative here.
Well, he is wrong... :P I will post why in reply to that message soon.
And I will once again point to the package signing TODO page for a list of what we need to do at a minimum before this becomes integrated in the main pacman branch: https://wiki.archlinux.org/index.php/User:Allan/Package_Signing As with all feature branches, they integrated into master when they are finished. Otherwise we can not make a release without actually getting it fully completed or backing out the unfinished work. Given the rate this has been developed, the second seems the likely outcome.
I understand that it should be finished before it is merged. What is missing is a strong statement from the development team that they want signatures asap. I think there are enough people who are willing to provide patches (me included) if you show real interest in package signing.
What a load of bullshit. The first patch was submitted over two years ago and immediately pulled into a branch. But as has happened repeatedly, that person disappeared and never finished. All further work by other people was also reviewed and/or pulled to one of the main developers git branches fairly quickly after posting. And we have repeatedly said "patches welcome". I'm not sure how much clearer we could be that this is an area that we would be happy for people to work on.
Finally, "minor" performance issues interest me a hell of a lot more than package signing. Mainly because that actually affects me whereas unsigned packages really does not... That is why I spent my free time implementing them. Thinking about it, improving optdepends handling, transaction hooks, VCS support in makepkg, adding a test suite for makepkg, automatic creation of debug packages, .... all affect me more than package signing does, so I maybe will start work on package signing again once those are finished.
You really have to rethink your priority list here. Those attacks on package managers are known for a long time and the package signing point has come up very often on the pacman mailing list. So there are people who are concerned about it.
As I said, it really does not affect me. I use the master server for my repo db downloads and know exactly which package updates to expect given I see all commits to our svn repos. So the scope in which I could be attacked is very small and I am prepared to take that risk. So my priorities are clearly different to other peoples. The key difference is, I submit patches to implement what I consider a priority... Allan