[aur-general] TU application - speps

Sat Apr 28 10:13:12 EDT 2012

On Sat, 28 Apr 2012 13:36:19 +1000
Allan McRae <allan at archlinux.org> wrote:

> On 27/04/12 06:32, Xyne wrote:
> > speps wrote:
> > 
> >> I followed the whole discussion on ML, as it is of my interest,
> >> and I must admit the Xyne presence in the Arch team was always a
> >> good point for me to assert the possibility of contributing "officially"
> >> and "anonymously" at the same time, in the hope that is not just an
> >> exception.
> >>
> >> The meaning of identity on the Internet is still something not so defined
> >> to me through its limits, consequences and abuses.
> >> So, from the beginning of my Internet experience, I never referenced to
> >> myself through my real name/life, but using a nickname, a digital identity.
> >> This could be perceived as stupid or too paranoid for some, but for me
> >> is just a way to taste things without risking to be too much implied till
> >> the point of no return. I'm not referring to responsibilities, but to the
> >> possibility of having a choice.
> >>
> >> The adoption of GPG Keys for signing packages intention is to prevent
> >> malicious hijacking through mirrors and to certificate their provenance,
> >> and not to identify a packager in his real life.
> >> Also, even using a "real name" is not a way to assume a real existence,
> >> since hypothetically a real life identity could be easily faked too.
> >>
> >> As you can see I sign mails with my GPG Key, and I really do not see
> >> a real difference between mine and your or the one of another TU, since
> >> actually we do not personally know each others.
> >>
> >> I like to think that a digital identity just deals with the reputation
> >> that comes from the quality of the work done like from the behaviours in
> >> social relations, and a nickname is enough to cover its identification.
> >>
> >> This is just my point till now, not a way to convince someone else.
> >> I say "till now", cause this is the first time I was asked to reveal
> >> my real identity for being crucial in contributing or to be trusted.
> >>
> >> Differently, some years ago Giovanni Scafora asked my name for including
> >> it as a contributor in a [extra] PKGBUILD (cpufrequtils) after sending
> >> him a patch. In that case I took the decision of keeping on my way.
> >>
> >> I'll have to think about this since, as you say, probably another
> >> Xyne would be not allowed.
> >> My idea is, trying an application as simply "speps" and on a negative
> >> response taking the big decision. What do you think?
> > 
> > I agree with all of these points. An identity is an identity regardless of
> > whether or not it's connected to the name your parents gave you. If you have
> > shown yourself to be consistent and trustworthy through actions over a period
> > of time, that should be enough. As you say, the introduction of PGP keys was to
> > ensure that no one had tampered with the packages in transit, not to force TUs
> > to divulge off-line (i.e. irrelevant) information. No one asked for real names
> > before, let alone verified them. All that mattered was the quality and
> > consistency of your contributions, and that's how it's supposed to be.
> > 
> > There are many legitimate reasons that one may wish to remain "anonymous". Some
> > simply prefer privacy. Others may wish to avoid internet stalkers or worse.
> > 
> > Anyway, as mentioned, you can release packages without all 5 master signatures,
> > but I still think it's silly that TUs don't automatically get all of the master
> > key signatures... untrusted "Trusted Users" just doesn't make any sense. If the
> > TU application process is not trusted, then it has to be changed, otherwise its
> > nonsensical.
> > 
> > Btw, if you want real security and not just security theater, introduce a
> > sign-off system for TUs. That would do far more than getting "real names".
> > 
> 
> I have no real issues with people being anonymous, but there is another
> issue here.
> 
> I signed "Xyne"s GPG key because despite not knowing anything in
> particular about "him", I have had plenty of interaction with him during
> his time as an Arch contributor.  So I was quite sure that the Xyne I
> "knew" was the one I was signing a key for.
> 
> The user "speps" on the other hand, I have absolutely no idea who is. In
> fact, when I looked at their AUR packages, I was absolutely surprised at
> the number of them...  I have never seen that name on IRC and there are
> only 5 posts on the forums for that account name.  Looking at mail
> archives there are a bunch of AUR package deletion requests.  I would
> have a lot of difficulty deciding to sign that key.
> 
> Allan
> 

Hi Allan, and thanks for joining the discussion
and for pointing this out, of course.

You're right, we never had a conversation before,
and our tasks never crossed.

Time for sharing my views on communication platforms, though.

As you mentioned, I only posted 5 messages on Arch Forums. Well,
I've never been too much familiar with forums in general, even if I
found em an useful and inalienable resource.

Most of the communication related to my Arch contributions, till now,
has been wonderfully covered by the AUR comments feature.
Quite simple, but totally adapt for discussing about specific packages
related issues, since its self-structured nature.
Obviously, it also needs moderation. I systematically recommend commenters
who goes OT, abuses of it starting flame-wars or just uses it wrong
(eg. pasting kilo-metric logs without using a paste bin service) to follow
some simple rules to let everybody live a satisfying collaboration experience.
And it just mostly works.

Accordingly, that's really noisy to me discovering (moths later too), some user
reporting an issue with one of the build scripts I maintain on a {un,}official
Arch forum, or worse, on a Arch unrelated ML. And it just happens regularly.
The few times it happened and I was still in time, I contacted the reporter
for joining the related AUR page.

Briefly, I never had the need for posting on forums till now, finding it
too generic and dispersive to be efficient in my regular tasks, like
reporting discussing and resolving bugs.

You'll find some bug reports opened or not by me (username archspeps; at the
beginning I signed to all Arch services with this nick before changing to
speps; unluckily but fairly changing username for bug tracker is not allowed).
There aren't many of them though, since I usually do no report bugs without
investigating enough to provide a solution too, or simply they deals with
upstream bugs so I go to the source.
An example of bug (an old and long one) I contributed resolving both ways
is about the gimp file-uri support [1].

IRC represent my main communication platform. Yeah, IRC :)
In response to all OT comments I may find on one of my AUR pages, I invite the
the user for contacting me on IRC (speps @ freenode.net), since {s,}he would
find me on-line and active most of the times. Someone could testify.

Nevertheless, you're right.
You'll rarely find me on #archlinux, since I intentionally never added it
in my auto-join list. IRC channels are a great platform for discussing
everything and in a immediate and efficient way. Btw, as it happens for
overused and sated channels related to big projects such as a popular
distribution, they may easily become a chaotic bazaar where you hardly
distinguish or follow a single conversations, fancy participate.
Also, being English not my first language, things becomes even more
complicated, so I usually tend leaving this kind of conversations to users
that are surely more quick and polished than me. Those are the reason why
#archaudio or #archlinux.it are, instead, in my auto-join list.

At the same time it would be surely reasonable for me being at least present
on #archlinux, so more people could easily check if I'm on-line or not.
So, from now and on, I promise you'll find me on #archlinux too :)

Mailing lists are also part of my daily routine.
I'm subscribed to all development related lists, following most of the threads.
Trying to limit the amount of nested responses though, I participate exclusively
when my comment would be heavily relevant or when it just dials with practices,
like merge or delete requests. Also in such cases I collect as much packages as
I can in those requests, and include thanks in advance.
An example of what I intend for almost relevant is a contribution I sent last
December on arch-multilib ML [2] about the jack2-multilib package.

Probably, my Arch itinerary would be harder to trace back since my synthetic
contributing style and fragmentation, absolutely antithetic to my so long
explanations, of course (sorry). Btw, I'm here to help you :)

Regards

[1] https://bugs.archlinux.org/task/12321
[2] http://mailman.archlinux.org/pipermail/arch-multilib/2011-December/000251.html

- speps -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20120428/7d6101af/attachment-0001.asc>