[aur-general] TU Application: Daniel Bermond (dbermond)

Sun Oct 14 22:33:17 UTC 2018

On 10/15/18 12:27 AM, Baptiste Jonglez wrote:
> On 15-10-18, Levente Polyak via aur-general wrote:
>> On 10/14/18 11:35 PM, Daniel Bermond via aur-general wrote:
>>>
>>> I usually don't use pgp on my aur packages because people tend to
>>> complain a lot about building issues. They fail to handle the keys and
>>> start complaining to the packager, and this is a big stress. When
>>> dealing with repository packages this is another story, of course. Since
>>> this was raised as a main issue, I'll be adding the pgp checks back again.
>>>
>>
>> So let me summarize what you are saying, correct me if im wrong:
>>
>> You fully know whats all the gizzle with gpg. Instead of acting like a
>> trustable user who follows best practice and spreads good advice and
>> helps teaching people about how all this works properly you prefere to
>> pull the lazy card because its what? big stress? Serious?
>> I don't even find words to describe how untrustworthy this is to the
>> community to prefer to remove GPG signatures instead of educating users?
> 
> What a warm way to welcome people.  A bit of fact-checking doesn't hurt:
> 
> $ pkgver=4.16.1
> $ wget "https://www.apache.org/dist/flex/${pkgver}/binaries/apache-flex-sdk-${pkgver}-bin.tar.gz"{,.asc}
> $ gpg --verify apache-flex-sdk-4.16.1-bin.tar.gz.asc 
> gpg: assuming signed data in 'apache-flex-sdk-4.16.1-bin.tar.gz'
> gpg: Signature made mer. 15 nov. 2017 09:44:37 CET
> gpg:                using RSA key 44998F3E242727E94C4BADEB6B0A7EC905061FC8
> gpg: Can't check signature: No public key
> 
> $ gpg --search-keys 44998F3E242727E94C4BADEB6B0A7EC905061FC8
> gpg: data source: http://192.146.137.99:11371
> (1)  Piotr Zarzycki (CODE SIGNING KEY) <piotrz at apache.org>
>        4096 bit RSA key 6B0A7EC905061FC8, created: 2017-06-17 (revoked)
> Keys 1-1 of 1 for "44998F3E242727E94C4BADEB6B0A7EC905061FC8".  Enter number(s), N)ext, or Q)uit > 
> 
> 
> Baptiste
> 

Fact checkin what? I didn't respond to a specific case, I responded to a
general statement:

"I usually don't use pgp on my aur packages because people tend to
complain a lot about building issues."

And that statement applies to parts of your comment as well... no I
frankly don't understand that someone would not like to because its
stress. We then better add base-devel to makedepends as well, right?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20181015/17d4ec77/attachment.asc>