[pacman-dev] [ Package Signing ] Your signature please

Daniel Mendler mail at daniel-mendler.de
Sat Feb 19 19:36:53 EST 2011


> Responsibility? I take responsibility for myself and no one else,
> anything else would be stupid and make me legally liable for work I
> don't even get paid for.

I don't mean that you take legal reponsibility. I only mean that you
have some influence one how this project continues.

>>> And you don't even have to implement
>>> the features yourself - there are people who are willing to help. But
>>> those people should also get some support by you.
>>
>> Those people get full support from me.  You might have seen between these
>> emails that I reviewed the three patches for package signing posted to this
>> list yesterday within 12 hours of them being posted.
>>
>> I am serious when I say "patches welcome".  I just turns out those people
>> that claim to be willing to help, rare do anything.
> The other thing we frequently see is work that doesn't come close to
> meeting our standards, and when we point this out, we get accused of
> not wanting to implement package signing. At that point, what are we
> expected to do? Redo the work ourself?

I understand that the code quality should meet the quality standards.
And I understand that you don't want to redo the work yourself if this
is not the case. This is totally acceptable.

> Either way, can we all just relax a bit? This thread is becoming a
> bitching ground, and nothing productive has come out of it. Act civil
> and stop using the guise of the internet to say anything you want and
> attack others. It really isn't appropriate.

I think this should also go to a much more technical level. We have the
gpg tree in Allan's repository. As I said I tested it with a repository
and got it to work. So can you tell me what do you need till this can be
merged into master?

1. Design a strategy to manage the keyrings and adapt the tools to it
2. Patches for the issues on the Package Signining Wiki Page
3. Patches to db-scripts to manage the database with gpg signatures

Some of the issues on the wiki page are really minor (e.g. rename
option). There are more complex ones (replacing verified db with
unverified one, reworking the signature checking code when using pacman
-U). And there are already patches for some of the issues.

So what do you say about the code quality of the branch? It it
acceptable at this point or is there improvement needed? Are there other
blockers preventing you from merging it as soon as the points above are
solved?

Daniel


More information about the pacman-dev mailing list