[pacman-dev] Package signing in pacman
yaro at marupa wrote:
It's under development. To be honest a lot of Arch users are tired of this discussion popping up. If you want it to show up sooner, then you could help by submitting patches of your own to the pacman developers.
It'll get here when it gets here.
This is a poor attitude. A better attitude would be, "Here's how you can help: ..." "... Submitting patches of your own" is an invalid continuation of that response. Patches? For what? Where's the documentation of the way it should function? Where's the documentation of the current infrastructure? Where's the specific information about what's left to do? Is the information recent? This page: https://wiki.archlinux.org/index.php/Package_Signing_Proposal_for_Pacman ... is a "proposal". It was last edited a year ago. It does not help. This page: https://bugs.archlinux.org/task/5331 ... is a "task" ticket, in the tracker, but it doesn't offer much in the way of relevant information. It does not help. This page: https://wiki.archlinux.org/index.php/User:Allan/Package_Signing ... was updated within the past month, at least, but is, as far as i can tell, a brain dump for Allan himself. Information is sparse, implementation details are almost nonexistent, and TODO items are vague. It does not help. In 2010, based on information present in the above-referenced tracker ticket, i tried contacting the Arch developers who appeared to be involved, offering to contribute, and got no response. Allan's Package_Signing page didn't exist yet. As far as i can tell, at this point, that ticket is even assigned to the wrong person. You can't make it difficult for people to contribute and then complain that you aren't receiving contributions. I'm not downplaying the effort that Allan (et al.?) has put forth -- i think it's excellent! But so far, this has all the markings of a single-person project, being coded by someone who doesn't _want_ contributions. Typically, here's what people who do want contributions supply: - an overview of the program internals and general API - details about how the current project _should_ function. - API notes on what has been implemented for the current project thus far. - DETAILS on what portions of the project remain, so that others can pick them up. I can do without the overview of program internals. The latter three are rather more important. So, why not adopt a better attitude -- indeed, perhaps a better method -- and actually try to get contributors? In case it still isn't clear: I'd love to help. I'd love to write patches. I'd love to submit them. I'd love to see pacman package signing in operation, so much so that i'm willing to devote some of my scant time to do so. Now, somebody (Allan?), please make it reasonable for me, and others like me, to even try. Thanks, ari
On Fri, May 20, 2011 at 2:44 PM, ari edelkind < edelkind+arch-pacman@gmail.com> wrote:
yaro at marupa wrote:
It's under development. To be honest a lot of Arch users are tired of this discussion popping up. If you want it to show up sooner, then you could help by submitting patches of your own to the pacman developers.
It'll get here when it gets here.
This is a poor attitude. A better attitude would be, "Here's how you can help: ..."
"... Submitting patches of your own" is an invalid continuation of that response. Patches? For what? Where's the documentation of the way it should function? Where's the documentation of the current infrastructure? Where's the specific information about what's left to do? Is the information recent?
This page: https://wiki.archlinux.org/index.php/Package_Signing_Proposal_for_Pacman
... is a "proposal". It was last edited a year ago. It does not help.
This page: https://bugs.archlinux.org/task/5331
... is a "task" ticket, in the tracker, but it doesn't offer much in the way of relevant information. It does not help.
This page: https://wiki.archlinux.org/index.php/User:Allan/Package_Signing
... was updated within the past month, at least, but is, as far as i can tell, a brain dump for Allan himself. Information is sparse, implementation details are almost nonexistent, and TODO items are vague. It does not help.
In 2010, based on information present in the above-referenced tracker ticket, i tried contacting the Arch developers who appeared to be involved, offering to contribute, and got no response. Allan's Package_Signing page didn't exist yet. As far as i can tell, at this point, that ticket is even assigned to the wrong person. You can't make it difficult for people to contribute and then complain that you aren't receiving contributions.
I'm not downplaying the effort that Allan (et al.?) has put forth -- i think it's excellent! But so far, this has all the markings of a single-person project, being coded by someone who doesn't _want_ contributions.
You're wrong here, it's not a single person project, i have seen Dan and others commit package signing implementations too. For example: http://projects.archlinux.org/devtools.git/commit/?id=c16e7c25c9432e0d2f0fde...
Typically, here's what people who do want contributions supply: - an overview of the program internals and general API
http://code.toofishes.net/pacman/doc/
- details about how the current project _should_ function. - API notes on what has been implemented for the current project thus far. - DETAILS on what portions of the project remain, so that others can pick them up.
I can do without the overview of program internals. The latter three are rather more important.
So, why not adopt a better attitude -- indeed, perhaps a better method -- and actually try to get contributors?
In case it still isn't clear: I'd love to help. I'd love to write patches. I'd love to submit them. I'd love to see pacman package signing in operation, so much so that i'm willing to devote some of my scant time to do so. Now, somebody (Allan?), please make it reasonable for me, and others like me, to even try.
Probably the biggest obstacle is implementing the infrastructure. If i am correct devtools is already done. (not sure though) Thanks,
ari
-- Jelle van der Waa
On Fri, May 20, 2011 at 10:45, Jelle van der Waa <jelle@vdwaa.nl> wrote:
I'm not downplaying the effort that Allan (et al.?) has put forth -- i think it's excellent! But so far, this has all the markings of a single-person project, being coded by someone who doesn't _want_ contributions.
You're wrong here, it's not a single person project, i have seen Dan and others commit package signing implementations too. For example: http://projects.archlinux.org/devtools.git/commit/?id=c16e7c25c9432e0d2f0fde...
I'm not wrong. That's what the "(et al.?)" was for. It still has the markings (appearance, feel, or facade, if you will) of a single-person project. The fact that others who are intimately familiar with pacman --- and have been in ongoing discussions with Allan --- have committed changes does not change my point. And remember, Dan is already a committer for pacman. By definition, he's intimately familiar with it. Even if a non-committer has spent many hours, or even days becoming familiar with the project, and then managed to eek out a patch that was found useful, requiring that a would-be contributor do such a thing is disrespectful to that person's time. Worse, would-be contributors are likely to move on and spend their time elsewhere. I'm getting off-track. Jelle, i'm not sure what your point was. Were you just saying that others deserve credit, too? If so, i agree. Thanks to everyone who has contributed thus far (i'm not alone in my appreciation, believe me). Or, were you saying that, since others have contributed in the past, the project must already be contributor-friendly; those involved needn't put forth any additional effort to attract contributors; and responses like, "if you want it to arrive faster, submit a patch," are valid and useful? I think it's clear that this is not the case.
Probably the biggest obstacle is implementing the infrastructure.
That's interesting, because when i read Allan's Package_Signing page, it appeared to me that the infrastructure has mostly been completed. The "TODO" tasks all seem fairly minor. This sort of confusion illustrates my point. I'd venture to say that time spent clearing such confusion would at least be met by a worthwhile return-on-investment by contributors. I've already expressed my interest in being one of those contributors. Three times now. ari
On 2011/5/20 ari edelkind <edelkind+arch-pacman@gmail.com> wrote:
On Fri, May 20, 2011 at 10:45, Jelle van der Waa <jelle@vdwaa.nl> wrote:
I'm not downplaying the effort that Allan (et al.?) has put forth -- i think it's excellent! But so far, this has all the markings of a single-person project, being coded by someone who doesn't _want_ contributions.
You're wrong here, it's not a single person project, i have seen Dan and others commit package signing implementations too. For example: http://projects.archlinux.org/devtools.git/commit/?id=c16e7c25c9432e0d2f0fde...
I'm not wrong. That's what the "(et al.?)" was for. It still has the markings (appearance, feel, or facade, if you will) of a single-person project. The fact that others who are intimately familiar with pacman --- and have been in ongoing discussions with Allan --- have committed changes does not change my point. And remember, Dan is already a committer for pacman. By definition, he's intimately familiar with it.
Even if a non-committer has spent many hours, or even days becoming familiar with the project, and then managed to eek out a patch that was found useful, requiring that a would-be contributor do such a thing is disrespectful to that person's time. Worse, would-be contributors are likely to move on and spend their time elsewhere.
Hello Ari, You seem to be complaining about lack of documentation in pacman's source code. Tha answer is probably that no, we are not really motivated to write documentation, and the reason is very simple. Nobody in the current contributors has time to do that. The API is documented, which is at least nice. This is no disrespect in any way. Writing proper documentation requires work. Trying to attract new contributors requires work too. People have hardly the time to do this work. Of course it is desirable, maybe it's a pity this work is not more developed, but we are all volunteers. If we are not motivated for this work, we are not going to do it. We are pleased to see people who are interested, if you are willing to contribute, yes, you can spend time reading the code, understand what it does, and then contribute documentation, and help pacman become more developer friendly. Feel free to ask any question on the mailing-list about pacman and libalpm and the current development directions. If I remember correctly, I think Dan considers the current implementation to be almost feature-complete, maybe except for tiny details. Regards, Rémy.
On Sat, May 21, 2011 at 05:02, Rémy Oudompheng wrote:
You seem to be complaining about lack of documentation in pacman's source code. Tha answer is probably that no, we are not really motivated to write documentation, and the reason is very simple. Nobody in the current contributors has time to do that. The API is documented, which is at least nice. This is no disrespect in any way. Writing proper documentation requires work. Trying to attract new contributors requires work too.
Agreed, it does. My point was that if you make contributing unattractive, then a blanket response of, "You want it? You write it," becomes little more than a brush-off. If contributing is easy, then it's an invitation. What's more, since developers always like their work to be appreciated, once a person does begin contributing, he's likely to contribute more later. The biggest problem is, he has to get over that initial hurdle and learning curve, and if it looks daunting, he's more likely to consider it a waste of time, and less likely to start. My goals were as follows: - Get people to recognize the problem. - Inspire _one_ of the following: 1. Creation of documentation that makes starting to contribute less _work_ and more productive. 2. Cessation of blanket "If you want it, write a patch" statements. If [1] happens, then the issue of [2] is okay. If [2] happens, then the lack of [1] is no longer disrespectful. I'm encouraged that people seem to have recognized the problem, and are putting forth effort to make [1] a reality. ari
On 2011/5/21 ari edelkind <edelkind+arch-pacman@gmail.com> wrote:
My goals were as follows: - Get people to recognize the problem. - Inspire _one_ of the following: 1. Creation of documentation that makes starting to contribute less _work_ and more productive. 2. Cessation of blanket "If you want it, write a patch" statements.
If [1] happens, then the issue of [2] is okay. If [2] happens, then the lack of [1] is no longer disrespectful.
I'm encouraged that people seem to have recognized the problem, and are putting forth effort to make [1] a reality.
If your goal is really to get other people to do a work you want to see done, then I guess you did not understand the full meaning of being a volunteer. As a personal point of view, there is no way I am going to be dictated either [1] or [2]. Regards, Rémy.
participants (3)
-
ari edelkind
-
Jelle van der Waa
-
Rémy Oudompheng