[arch-dev-public] switching to systemd-stable

Bartłomiej Piotrowski bpiotrowski at archlinux.org
Thu Jul 6 08:13:52 UTC 2017

On 2017-07-06 09:44, NicoHood wrote:
> On 07/06/2017 09:12 AM, Bartłomiej Piotrowski wrote:
>> On 2017-07-06 02:11, NicoHood wrote:
>>> On 07/05/2017 12:10 AM, Christian Hesse wrote:
>>>> Dave Reisner <d at falconindy.com> on Sat, 2017/07/01 13:22:
>>>>> Hey all,
>>>>> This should be pretty much a no-brainer, but wanted to be sure I wasn't
>>>>> missing anything. Systemd upstream publishes a "systemd-stable" repo [1]
>>>>> which branches at each tag and cherry-picks backports. I'd like to
>>>>> switch our systemd package to this repo to avoid some of the duplication
>>>>> of work that Jan, Christian and myself have done in the past. The repo
>>>>> sees a bunch more activity than what our own backporting strategy has
>>>>> been, and I see that as a positive.
>>>> Just a little heads-up... systemd 233.75-1 landed in [testing]. So give it a
>>>> try! ;)
>>>> BTW, we had just one backported commit to be removed, so 74 new commits
>>>> landed in this package compared to 233-7. Let's hope this gives some benefit.
>>> Systemd still does not use https sources. Regarding the recent
>>> discussion about tricking git about wrong tags and other evil stuff it
>>> is highly recommended to switch to https. Please do it in favor for all
>>> ArchLinux users security.
>>> Once more the reference:
>>> https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/torres-arias
>> Regarding the recent discussion:
>> https://lists.archlinux.org/pipermail/arch-dev-public/2017-July/028919.html
>> I really hoped I don't have to put "NicoHood" on top to make you realize
>> it's addressed to you. Please do it in favor for all Arch Linux packagers.
> What are you blaming me for now? This is a package everyone must install
> and you are telling me we have other serious problems? Sure we have, but
> compared to the time it takes to add an "s" to "http" this is a simple
> excuse. And this is not about checksums man, this is about https where
> even gpg signatures by git can be tricked.

Just as it is possible that a plane will fall into your house. The
existence of a way doesn't imply probability.

> And yes, I am doing stuff in the background. I wrote a guide and a tool
> that simplifies source code signing[1] and I am doing a detailed
> security analysis on all ArchLinux packages. And once it is ready I will
> request gpg signatures from every upstream source, especially packages
> from [core].

Great, you are pushing another personal project as something we should
glorify. Finish what you started first, instead of jumping between
multiple things, mostly accomplishing hostility towards you or anything
you propose. (Hint: nobody is taking you seriously anymore.)

> So you can tell me discussing about this is bullshit, right. But just
> not reacting to obvious security problems that can be solved within
> seconds is just not a single time better. Please do it in favor for all
> Arch Linux User's Security.

At this point I'm ready to just put you on moderation list. Trying to
make you less oblivious is a waste of time.


More information about the arch-dev-public mailing list