[pacman-dev] Package signing in pacman

ari edelkind edelkind+arch-pacman at gmail.com
Fri May 20 11:55:50 EDT 2011 

On Fri, May 20, 2011 at 10:45, Jelle van der Waa <jelle at vdwaa.nl> wrote:
>> I'm not downplaying the effort that Allan (et al.?) has put forth -- i
>> think it's excellent!  But so far, this has all the markings of a
>> single-person project, being coded by someone who doesn't _want_
>> contributions.
>>
> You're wrong here, it's not a single person project, i have seen Dan and
> others commit  package signing implementations too.
> For example:
> http://projects.archlinux.org/devtools.git/commit/?id=c16e7c25c9432e0d2f0fdeea30f08ad2ffe6950b

I'm not wrong.  That's what the "(et al.?)" was for.  It still has the
markings (appearance, feel, or facade, if you will) of a single-person
project.  The fact that others who are intimately familiar with pacman
--- and have been in ongoing discussions with Allan --- have committed
changes does not change my point.  And remember, Dan is already a
committer for pacman.  By definition, he's intimately familiar with
it.

Even if a non-committer has spent many hours, or even days becoming
familiar with the project, and then managed to eek out a patch that
was found useful, requiring that a would-be contributor do such a
thing is disrespectful to that person's time.  Worse, would-be
contributors are likely to move on and spend their time elsewhere.

I'm getting off-track.  Jelle, i'm not sure what your point was.  Were
you just saying that others deserve credit, too?  If so, i agree.
Thanks to everyone who has contributed thus far (i'm not alone in my
appreciation, believe me).  Or, were you saying that, since others
have contributed in the past, the project must already be
contributor-friendly; those involved needn't put forth any additional
effort to attract contributors; and responses like, "if you want it to
arrive faster, submit a patch," are valid and useful?  I think it's
clear that this is not the case.


> Probably the biggest obstacle is implementing the infrastructure.

That's interesting, because when i read Allan's Package_Signing page,
it appeared to me that the infrastructure has mostly been completed.
The "TODO" tasks all seem fairly minor.  This sort of confusion
illustrates my point.  I'd venture to say that time spent clearing
such confusion would at least be met by a worthwhile
return-on-investment by contributors.  I've already expressed my
interest in being one of those contributors.  Three times now.

ari

More information about the pacman-dev mailing list