[pacman-dev] Package signing in pacman

Jelle van der Waa jelle at vdwaa.nl
Fri May 20 10:45:21 EDT 2011

On Fri, May 20, 2011 at 2:44 PM, ari edelkind <
edelkind+arch-pacman at gmail.com> wrote:

> yaro at marupa wrote:
> > It's under development. To be honest a lot of Arch users are tired of
> > this discussion popping up. If you want it to show up sooner, then you
> > could help by submitting patches of your own to the pacman developers.
> >
> > It'll get here when it gets here.
> This is a poor attitude.  A better attitude would be, "Here's how you
> can help: ..."
> "... Submitting patches of your own" is an invalid continuation of
> that response.  Patches?  For what?  Where's the documentation of the
> way it should function?  Where's the documentation of the current
> infrastructure?  Where's the specific information about what's left to
> do?  Is the information recent?
> This page:
> https://wiki.archlinux.org/index.php/Package_Signing_Proposal_for_Pacman
> ... is a "proposal".  It was last edited a year ago.  It does not help.
> This page:
> https://bugs.archlinux.org/task/5331
> ... is a "task" ticket, in the tracker, but it doesn't offer much in
> the way of relevant information.  It does not help.
> This page:
> https://wiki.archlinux.org/index.php/User:Allan/Package_Signing
> ... was updated within the past month, at least, but is, as far as i
> can tell, a brain dump for Allan himself.  Information is sparse,
> implementation details are almost nonexistent, and TODO items are
> vague.  It does not help.
> In 2010, based on information present in the above-referenced tracker
> ticket, i tried contacting the Arch developers who appeared to be
> involved, offering to contribute, and got no response.  Allan's
> Package_Signing page didn't exist yet.  As far as i can tell, at this
> point, that ticket is even assigned to the wrong person.  You can't
> make it difficult for people to contribute and then complain that you
> aren't receiving contributions.
> I'm not downplaying the effort that Allan (et al.?) has put forth -- i
> think it's excellent!  But so far, this has all the markings of a
> single-person project, being coded by someone who doesn't _want_
> contributions.
You're wrong here, it's not a single person project, i have seen Dan and
others commit  package signing implementations too.
For example:

> Typically, here's what people who do want contributions supply:
>  - an overview of the program internals and general API

>  - details about how the current project _should_ function.
>  - API notes on what has been implemented for the current project thus far.
>  - DETAILS on what portions of the project remain, so that others can
> pick them up.
> I can do without the overview of program internals.  The latter three
> are rather more important.
> So, why not adopt a better attitude -- indeed, perhaps a better method
> -- and actually try to get contributors?
> In case it still isn't clear:
> I'd love to help.  I'd love to write patches.  I'd love to submit
> them.  I'd love to see pacman package signing in operation, so much so
> that i'm willing to devote some of my scant time to do so.  Now,
> somebody (Allan?), please make it reasonable for me, and others like
> me, to even try.

Probably the biggest obstacle is implementing the infrastructure. If i am
correct devtools is already done. (not sure though)

> ari

Jelle van der Waa

More information about the pacman-dev mailing list