[pacman-dev] Package signing in pacman
Jelle van der Waa
jelle at vdwaa.nl
Fri May 20 10:45:21 EDT 2011
On Fri, May 20, 2011 at 2:44 PM, ari edelkind <
edelkind+arch-pacman at gmail.com> wrote:
> yaro at marupa wrote:
> > It's under development. To be honest a lot of Arch users are tired of
> > this discussion popping up. If you want it to show up sooner, then you
> > could help by submitting patches of your own to the pacman developers.
> >
> > It'll get here when it gets here.
>
> This is a poor attitude. A better attitude would be, "Here's how you
> can help: ..."
>
> "... Submitting patches of your own" is an invalid continuation of
> that response. Patches? For what? Where's the documentation of the
> way it should function? Where's the documentation of the current
> infrastructure? Where's the specific information about what's left to
> do? Is the information recent?
>
> This page:
> https://wiki.archlinux.org/index.php/Package_Signing_Proposal_for_Pacman
>
> ... is a "proposal". It was last edited a year ago. It does not help.
>
> This page:
> https://bugs.archlinux.org/task/5331
>
> ... is a "task" ticket, in the tracker, but it doesn't offer much in
> the way of relevant information. It does not help.
>
> This page:
> https://wiki.archlinux.org/index.php/User:Allan/Package_Signing
>
> ... was updated within the past month, at least, but is, as far as i
> can tell, a brain dump for Allan himself. Information is sparse,
> implementation details are almost nonexistent, and TODO items are
> vague. It does not help.
>
> In 2010, based on information present in the above-referenced tracker
> ticket, i tried contacting the Arch developers who appeared to be
> involved, offering to contribute, and got no response. Allan's
> Package_Signing page didn't exist yet. As far as i can tell, at this
> point, that ticket is even assigned to the wrong person. You can't
> make it difficult for people to contribute and then complain that you
> aren't receiving contributions.
>
> I'm not downplaying the effort that Allan (et al.?) has put forth -- i
> think it's excellent! But so far, this has all the markings of a
> single-person project, being coded by someone who doesn't _want_
> contributions.
>
You're wrong here, it's not a single person project, i have seen Dan and
others commit package signing implementations too.
For example:
http://projects.archlinux.org/devtools.git/commit/?id=c16e7c25c9432e0d2f0fdeea30f08ad2ffe6950b
> Typically, here's what people who do want contributions supply:
> - an overview of the program internals and general API
>
http://code.toofishes.net/pacman/doc/
> - details about how the current project _should_ function.
> - API notes on what has been implemented for the current project thus far.
> - DETAILS on what portions of the project remain, so that others can
> pick them up.
>
> I can do without the overview of program internals. The latter three
> are rather more important.
>
> So, why not adopt a better attitude -- indeed, perhaps a better method
> -- and actually try to get contributors?
>
> In case it still isn't clear:
> I'd love to help. I'd love to write patches. I'd love to submit
> them. I'd love to see pacman package signing in operation, so much so
> that i'm willing to devote some of my scant time to do so. Now,
> somebody (Allan?), please make it reasonable for me, and others like
> me, to even try.
Probably the biggest obstacle is implementing the infrastructure. If i am
correct devtools is already done. (not sure though)
Thanks,
> ari
>
>
--
Jelle van der Waa
More information about the pacman-dev
mailing list