Re: Applying for maintainer role

[Giancarlo Razzolini]

Excerpts from Tomaz Canabrava's message of julho 17, 2023 3:58 pm:
> So, I downloaded thunderbird (after years using gmail as my only mail 
> client), setup my new gpg key on thunderbird, and hope that this message 
> is digitally signed.
> 
> I'm much better with bash than I am fiddling with weird programs to send 
> e-mail :)
> 
> Best,
> 
> Tomaz
> 
> On 7/17/23 19:32, Antonio Rojas wrote:
>> El domingo, 16 de julio de 2023 14:37:31 (CEST) Tomaz Canabrava escribió:
>>> My sponsors are Gian and Antonio Rojas.
>>>
>>> This is not gpg signed and I’m sorry for that, but gian and Antonio can
>>> also vouch for me as the validity of this email.
>>>
>>> Best,
>>> Tomaz - kde ev member
>> I confirm my sponsorship (modulo complying with the application process 
>> requirements), I've known about Tomaz for a long time as a KDE developer. 
>> There's a lot of work ahead for KDE packaging with the upcoming Qt 6 port 
>> and it would be great to have more hands to help Felix and me with it.
>>
> 

Thank you Tomaz for the signed email. Now that both sponsors have replied and we
have a signed email, we can officially start the discussion period.

Regards,
Giancarlo Razzolini

pgpkcvH8Av2af.pgp
Description: PGP signature

Re: Applying for maintainer role

[Tomaz Canabrava]

So, I downloaded thunderbird (after years using gmail as my only mail 
client), setup my new gpg key on thunderbird, and hope that this message 
is digitally signed.


I'm much better with bash than I am fiddling with weird programs to send 
e-mail :)


Best,

Tomaz

On 7/17/23 19:32, Antonio Rojas wrote:

El domingo, 16 de julio de 2023 14:37:31 (CEST) Tomaz Canabrava escribió:

My sponsors are Gian and Antonio Rojas.

This is not gpg signed and I’m sorry for that, but gian and Antonio can
also vouch for me as the validity of this email.

Best,
Tomaz - kde ev member

I confirm my sponsorship (modulo complying with the application process 
requirements), I've known about Tomaz for a long time as a KDE developer. 
There's a lot of work ahead for KDE packaging with the upcoming Qt 6 port and 
it would be great to have more hands to help Felix and me with it.



OpenPGP_0xB10D17C4DDFC6DDE.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: Applying for maintainer role

[Dan Arena]

> I was expecting an e-mail such as the one sent by Carsten Haitzler, not the 
> one sent by Mr. Steel.
> When we are too strict about rules - without stating the reasons behind those 
> rules, we will drive good people away. Mr. Steel didn't bother to search 
> about the things I did or who I was nor did he wanted anything to know about 
> myself or why I wanted to join Archlinux, his e-mail was basically a 
> box-ticking-procedure-checking.
> That's not just how people should behave within communities, as different 
> people behave differently and it's way more important to have an human-factor 
> when dealing with people.

Hi Tomaz,
Let me start by saying I see your passion for it and understand your
point of view. I believe this is my first time ever replying to this
mailing list, by the way. I have read many threads of people
discussing TU Applications. I felt the need to reply because I
recently argued with someone about similar issues to this and did so
starting from a similar point of view as you I believe, where I was
against the seemingly corporate-like checklists/procedures. The person
knew me and I felt insulted that they were making me go through with
something that seemingly implied that I was lying. I have actually
changed my point of view on this though after discussing it with
coworkers several times. The real importance of following
checklists/procedures like this, as I was convinced to realize, is
that they force fairness and transparency. It prevents nepotism, or
even possibly people being deceived and getting someone they thought
was a friend online past the normal procedures, and having them turn
out to be malicious. It is not accusing you or anyone of it, but it is
to make things fair. I think that is important in a community like
this. Treat people fairly. This way we don't have to try to guess who
has malicious intent and treat them differently than someone else 1
person thought they knew.

All community members, on a side note, although I haven't read much
into it, I think it is great to see the role is now "package
maintainer". I have said to myself after reading many of these
applications and seeing the current TUs interview the person applying
mostly about their technical ability, that all of these technical
questions are not really confirming the part I worry more about with
the AUR, and what is in the name of a "TU", _TRUST_. A person with
malicious intent, could, and most likely would be, technically
capable. They could easily pass that part of it with minimal effort.
Very few of these applications seem to have a way to actually confirm
that the person applying is TRUSTED. Now, I know everywhere it says
the AUR is not to be trusted, and we must confirm all PKGBUILDs during
build, but let's be real, with git packages and sources being pulled
from many unheard of remote websites, that can be tough. I do review
almost every PKGBUILD I use from the AUR, but I often wonder about the
git url it is pulling from, and only sometimes do I go there and take
a quick look at it. This can be a tough balance between confirming
trust, and keeping people's privacy though. I am not sure though if
more investigation is done behind closed doors to confirm those things
but keep people's private information, well, private.

Sorry to go off on a bit of a rant there on the side note. I hope my
formatting was satisfactory for everyone (plain text and
bottom-replying, right? haha.). I see there have also been a couple
emails pop up since I typed this up. Sorry if this has now become
repetitive, out of place, or further derailed the conversation on the
actual application process.

Kind regards,
Dan

Re: Applying for maintainer role

[Giancarlo Razzolini]

Excerpts from Levente Polyak's message of julho 17, 2023 3:01 pm:
> Dear Tomaz and fellow community members,
> 
> 
> Let's all grab a cool beverage, breath some fresh air and get back to 
> this discussion with a clear mind.

Thank you Levente for your words. I think this application got derailed for
the wrong reasons. I still firmly believe that Tomaz would make an excellent
addition to our team.

He is a seasoned open source developer, and has packaging experience, albeit
not on Arch, admittedly, but on debian. Nevertheless, with some help from the
sponsors and remaining a Junior Maintainer for a while, I think this would be
a perfect fit.

Not only Tomaz can help with KDE packaging, and also anticipating trends from
the KDE team, but I'm quite sure he can also help with other parts of the system
as well.

We are working on the GPG signature, but as anyone can see, his email is coming
from the KDE org, and he _is_ who he claims he is. So let's all take a break and
try to keep to the application itself.

Regards,
Giancarlo Razzolini

pgpLaVftfMOpB.pgp
Description: PGP signature

Re: Applying for maintainer role

[Levente Polyak]

Dear Tomaz and fellow community members,

I wanted to take a moment to address the recent discussion on the 
mailing list regarding Tomaz's application as a package maintainer for 
our distro (First of all, thank you Tomaz for your interest). As I have 
followed the conversation closely, I believe it is important to approach 
this matter from a neutral standpoint that encourages constructive 
dialogue and reinforces the values we uphold as a community.


First and foremost, I want to emphasize that we are a community of 
individuals with diverse perspectives and opinions. It is only natural 
that we encounter situations where different viewpoints arise. However, 
it is crucial that we maintain a respectful tone throughout our 
discussions, even when faced with conflicting ideas. Responding in a 
snarky and passive-aggressive manner does not contribute positively to 
our collective growth no matter who used such a language first.


While it is exemplary to seek clarification and avoid blindly following 
procedures, it is equally important to recognize the value of our 
established processes. When applicants deviate from these procedures, it 
can lead to unnecessary conflicts and consume significant time and 
energy from our dedicated volunteers. Considering the cumulative effort 
required to dicuss a deliberate deviation from established processes on 
list, it is instead advisable to consult with the sponsors first to 
ensure a smoother experience for everyone involved.


Regarding the PGP aspect of the application procedure, it is essential 
to understand that it serves a purpose beyond mere formality. 
Establishing cryptographic trust through this process enables 
streamlined authentication for various aspects, such as later on 
providing service usernames, SSH keys, and secure communication via 
encrypted emails to receive channel passwords etc. By adhering to this 
procedure from the outset, we overall simplify the verification process 
even if it could mean one applicant needs to create a key even when not 
getting accepted.


Let us remember that we are more than just a group of technicians 
performing individual tasks. We are a social construct, united in our 
dedication to Arch Linux. As representatives of our distro, it is 
essential to lead by example, fostering an environment where respectful 
communication and cooperation thrives. While it is understandable to 
encounter language that may not align with our personal preferences, it 
is outmost important to respond with factual information in a friendly 
manner, trusting that others will recognize the overall tone of one's 
own message themselves. This does not mean your opinion should be 
witheld or that you should let everyone in you disagree with, but it 
means to always approach our discussions with an open mind and empathy.


Let's all grab a cool beverage, breath some fresh air and get back to 
this discussion with a clear mind.

Warm regards,
Levente


OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: Applying for maintainer role

[Antonio Rojas]

El domingo, 16 de julio de 2023 14:37:31 (CEST) Tomaz Canabrava escribió:
> My sponsors are Gian and Antonio Rojas.
> 
> This is not gpg signed and I’m sorry for that, but gian and Antonio can
> also vouch for me as the validity of this email.
> 
> Best,
> Tomaz - kde ev member

I confirm my sponsorship (modulo complying with the application process 
requirements), I've known about Tomaz for a long time as a KDE developer. 
There's a lot of work ahead for KDE packaging with the upcoming Qt 6 port and 
it would be great to have more hands to help Felix and me with it.



signature.asc
Description: This is a digitally signed message part.

Re: Applying for maintainer role

[Tomaz Canabrava]

On Mon, Jul 17, 2023 at 5:41 PM T.J. Townsend 
wrote:

> On Sun, Jul 16, 2023 at 03:37:31PM +0300, Tomaz Canabrava wrote:
> > Hello,
> >
> > My name is Tomaz Canabrava, Im a kde developer and mostly focus on
> > Konsole.
> > Other than that, I use arch Linux for the past 10 years, as my only Linux
> > distro.
> >
> > I have experience with packaging (debian, for work) but not on arch, but
> > it’s shell and that thing I can handle :)
>
> Hi Tomaz. When there are established, documented guidelines for how to do
> something in Arch Linux, they need to be followed. With no regard for how
> the application process works, with no Arch packaging experience at all,
> and with an attitude like this...
>

Don't misunderstand practicality with attitude, I have no intention of
being a pain or "that dude", you can read the rest of the e-mails I send or
focus on the nitpicks, that's a choice anyone has.


>
> > I’ll create a gpg key when/if I need, to sign the packages, if arch Linux
> > votes for me.
>
> > > I consider an application that does not meet the requirements and has
> had
> > > very little effort put in to be a waste of time.
> >
> > That’s true, and I guess I already have your -1 on the votes. Great
> meeting
> > you :)
>
> ...I'm not sure what kind of result you're expecting.
>

I was expecting an e-mail such as the one sent by Carsten Haitzler, not the
one sent by Mr. Steel.
When we are too strict about rules - without stating the reasons behind
those rules, we will drive good people away. Mr. Steel didn't bother to
search about the things I did or who I was nor did he wanted anything to
know about myself or why I wanted to join Archlinux, his e-mail was
basically a box-ticking-procedure-checking.
That's not just how people should behave within communities, as different
people behave differently and it's way more important to have an
human-factor when dealing with people.

>
> You started off your application without any interest in doing things the
> way they're always done here
>

... That's correct. It's not because they are aways done that they should
still be done that way, and yes, I have send an e-mail from my mobile phone
without signing it from GPG.
At the same time, every e-mail that I got here - even from people with the
GPG key on their signature, was unsigned.


> and then refused to fix that behavior when
> corrected.


... That's not correct. I refused to do that *with* the reply from Mr.
Steel, because I am not a robot that will do things from a list ticking all
of the boxes, However, to the answer from Mr. Carsten I changed the
attitude as appropriate, as he took the human approach.


> Consider it a -2 now.
>
"Great meeting you :)"
>

Ignoring all the attitude on the e-mail can be hard, and you are answering
the e-mail with the exact same attitude as I replied to Mr. Steel.
Still, Read the rest of the thread.

Tomaz

Re: Applying for maintainer role

[T.J. Townsend]

On Sun, Jul 16, 2023 at 03:37:31PM +0300, Tomaz Canabrava wrote:
> Hello,
>
> My name is Tomaz Canabrava, Im a kde developer and mostly focus on
> Konsole.
> Other than that, I use arch Linux for the past 10 years, as my only Linux
> distro.
>
> I have experience with packaging (debian, for work) but not on arch, but
> it’s shell and that thing I can handle :)

Hi Tomaz. When there are established, documented guidelines for how to do
something in Arch Linux, they need to be followed. With no regard for how
the application process works, with no Arch packaging experience at all,
and with an attitude like this...

> I’ll create a gpg key when/if I need, to sign the packages, if arch Linux
> votes for me.

> > I consider an application that does not meet the requirements and has had
> > very little effort put in to be a waste of time.
> 
> That’s true, and I guess I already have your -1 on the votes. Great meeting
> you :)

...I'm not sure what kind of result you're expecting.

You started off your application without any interest in doing things the
way they're always done here, and then refused to fix that behavior when
corrected. Consider it a -2 now.

"Great meeting you :)"


signature.asc
Description: PGP signature

Re: Applying for maintainer role

[Matthew Sexton]

On 7/17/23 07:07, Tomaz Canabrava wrote:

"if we are too strict about following all the rules we will let go 
people that would be a good fit for the project, for the sake of 
folloing the process correctly", but processes also are a thing that 
should evolve.




I don't think it's too strict to say "Before you maintain packages, 
officially, you should show an interest in maintaining packages, 
unofficially, and since GPG is a requirement for packaging, you should 
show us you can do that too" I agree that processes are a thing that 
should evolve and change but that is something that also has a process. 
The TU bylaws explain how to apply, and the bylaws can be changed. Case 
and point, TU has been replaced with Package Maintainer, an entirely new 
job with different responsibilities.


If you disagree with the application process, absolutely open a dialogue 
and invite discussion.


I fix bugs upstream, work on opensource on my day to day life and on my vacations I travel to teach programming to students with low income. We all work for the common goal, and while the list of things that are not time consuming, they will add and will be time consuming in the end. 


Being a package maintainer is more responsibility and work than the 
things I described. If you're too busy to say Hi in IRC, how will you 
find time to properly maintain packages?



I guess my overall point is.. WHY do you want to be a Package
Maintainer
for Archlinux?

To improve the relationship between KDE & Archlinux, having more people 
that are on those two communities at the same time, to move things 
faster and help decrease the maintenance burden of a single person 
taking care of around ~400 pieces of software.




I use KDE/Plasma as my daily driver and I can respect this.

I think if you picked any one way to interact more directly with the 
Archlinux Community, you'd get plenty of YES votes. Despite being a 
little meh about the application process, your experience is great and 
your motivation is respectable.


OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: Applying for maintainer role

[Giancarlo Razzolini]

Excerpts from Giancarlo Razzolini's message of julho 17, 2023 9:18 am:
> Excerpts from Tomaz Canabrava's message of julho 16, 2023 9:37 am:
>> Hello,
>> 
>> My name is Tomaz Canabrava, Im a kde developer and mostly focus on Konsole.
>> Other than that, I use arch Linux for the past 10 years, as my only Linux
>> distro.
>> 
>> I have experience with packaging (debian, for work) but not on arch, but
>> it’s shell and that thing I can handle :)
>> 
>> My sponsors are Gian and Antonio Rojas.
>> 
>> This is not gpg signed and I’m sorry for that, but gian and Antonio can
>> also vouch for me as the validity of this email.
>> 
>> Best,
>> Tomaz - kde ev member
>> 
> 
> Hi All,
> 
> I have been trying to lure Tomaz to Arch for years now. I think he would be
> an awesome addition to our KDE packaging and overall general packaging too.
> 
> As for the lack of GPG signature, I'm working with him to get it signed. I'm
> hereby confirm my sponsorship, pending the GPG signed email.
> 
> Regards,
> Giancarlo Razzolini
> 
> 

Also, one important thing to mention: Tomaz would be our first junior 
maintainer.
While he doesn't have any package on the AUR, he's more than capable of building
and maintaining software. So we would review and work with them in the 
beginning.

Regards,
Giancarlo Razzolini



pgpcuMrbiAU73.pgp
Description: PGP signature

Re: Applying for maintainer role

[Giancarlo Razzolini]

Excerpts from Tomaz Canabrava's message of julho 16, 2023 9:37 am:
> Hello,
> 
> My name is Tomaz Canabrava, Im a kde developer and mostly focus on Konsole.
> Other than that, I use arch Linux for the past 10 years, as my only Linux
> distro.
> 
> I have experience with packaging (debian, for work) but not on arch, but
> it’s shell and that thing I can handle :)
> 
> My sponsors are Gian and Antonio Rojas.
> 
> This is not gpg signed and I’m sorry for that, but gian and Antonio can
> also vouch for me as the validity of this email.
> 
> Best,
> Tomaz - kde ev member
> 

Hi All,

I have been trying to lure Tomaz to Arch for years now. I think he would be
an awesome addition to our KDE packaging and overall general packaging too.

As for the lack of GPG signature, I'm working with him to get it signed. I'm
hereby confirm my sponsorship, pending the GPG signed email.

Regards,
Giancarlo Razzolini



pgp26AyZG_mTj.pgp
Description: PGP signature

Re: Applying for maintainer role

[Tomaz Canabrava]

On Mon, Jul 17, 2023 at 12:50 PM Matthew Sexton 
wrote:

>
>
> On 7/17/23 04:27, Tomaz Canabrava wrote:
> >
> >
> > On Mon, 17 Jul 2023 at 11:18 Jonathan Steel  > > wrote:
> >
> > On Mon 17 Jul 2023 at 10:44, Tomaz Canabrava wrote:
> >  > Because I don’t have a gpg key, and when the dkim features on the
> > email
> >  > already are enough to validate that the email I send is from me.
> >
> > You will need a GPG key to package. Arch has rules about applying
> > and you are
> > openly not following them.
> >
> >
> > I’ll create a gpg key when/if I need, to sign the packages, if arch
> > Linux votes for me.
> >
> >
> >  > i won’t re-apply because that’s a waste of everyone’s time just
> > for the sake
> >  > of ticking boxes.
> >
> > I consider an application that does not meet the requirements and
> > has had very
> > little effort put in to be a waste of time.
> >
> >
> > That’s true, and I guess I already have your -1 on the votes. Great
> > meeting you :)
> >
> > Besides not following rules, I help to maintain with patches upstream as
> > a maintainer, co-maintainer or just a random person sending patches
> > fixing bugs the following software set:
>
> So which is it, (co/)maintainer or random person sending patches?


Both, but, let me clarify:
- I am a KDE developer, you can check my credentials and my name is on the
KDE ev Members list here:
 https://ev.kde.org/members/

I'm one of the most active developers on Konsole, and one of the core
deelopers of Plasma Firewall.
I also worked with Subsurface for many years porting the software from Gtk
to Qt - and I'm one of the top 5 developers there.
The other softwares in the list that *are not* from kde software I'm just a
random person contributing on my spare time because I like it.
I have never - on my 18 years of coding - worked with opensource because it
was paid, and I contribute since my university days because I *sincerely*
like it.

I've
> sent patches for Pacman and other Arch Projects but that does not make
> me an Archlinux Developer. (I mean, I can call myself whatever I want so
> I suppose it does but that is irrelevant.)
>
> > - kde plasma
> > - plasma firewall
> > - dolphin
> > - ark
> > - kde system settings
> > - Konsole
> > - qgroundcontrol
> > - konversation
> > - kio
> > - kde partition manager
> > - subsurface
> > - kde frameworks
> > - codevis
> > - kconfigxt
> >
> > But in the end it’s the maintainers role to see if someone from upstream
> > would be useful for arch as a packager, or if he just wants to waste
> > more time of a non-paid position for no glory just for the sake of
> > helping a distro he uses daily.
>
> I'll gladly waste time on a non-paid position for no glory for the sake
> of helping the distro I use daily. It's called "contributing".
>

That's what I do for more than 18 years. We know that written text lacks
tone, so I'll clarify that thing too:
"if we are too strict about following all the rules we will let go people
that would be a good fit for the project, for the sake of folloing the
process correctly", but processes also are a thing that should evolve.


>
> https://wiki.archlinux.org/title/Getting_involved
>
> I maintain AUR packages, troll #aot on IRC, report bugs and try to help
> track them down, use the testing repos and sign off on newly updated
> packages.. None of these things is difficult or overly time consuming
> and making yourself known by doing any one of them will have a
> significant positive impact on your application.
>

I fix bugs upstream, work on opensource on my day to day life and on my
vacations I travel to teach programming to students with low income. We all
work for the common goal, and while the list of things that are not time
consuming, they will add and will be time consuming in the end.


> >   Today I’ll create an aur component for Codevis, a software to
> > visualize large architectures Im developing for the past three years
> > (that just got opensourced)
> >
> > And I’ll also create a GPG key, and sign some email on this thread with
> it.
>
> I like seeing new stuff going into the AUR. I forgot to mention the
> handful of packages i found on github just to put in the AUR. For
> nothing more than funsies, but they're being used by people which is
> awesome. (And entirely the point.)
>
> I guess my overall point is.. WHY do you want to be a Package Maintainer
> for Archlinux?
>

To improve the relationship between KDE & Archlinux, having more people
that are on those two communities at the same time, to move things faster
and help decrease the maintenance burden of a single person taking care of
around ~400 pieces of software.

Re: Applying for maintainer role

[Matthew Sexton]

On 7/17/23 04:27, Tomaz Canabrava wrote:



On Mon, 17 Jul 2023 at 11:18 Jonathan Steel > wrote:


On Mon 17 Jul 2023 at 10:44, Tomaz Canabrava wrote:
 > Because I don’t have a gpg key, and when the dkim features on the
email
 > already are enough to validate that the email I send is from me.

You will need a GPG key to package. Arch has rules about applying
and you are
openly not following them.


I’ll create a gpg key when/if I need, to sign the packages, if arch 
Linux votes for me.



 > i won’t re-apply because that’s a waste of everyone’s time just
for the sake
 > of ticking boxes.

I consider an application that does not meet the requirements and
has had very
little effort put in to be a waste of time.


That’s true, and I guess I already have your -1 on the votes. Great 
meeting you :)


Besides not following rules, I help to maintain with patches upstream as 
a maintainer, co-maintainer or just a random person sending patches 
fixing bugs the following software set:


So which is it, (co/)maintainer or random person sending patches? I've 
sent patches for Pacman and other Arch Projects but that does not make 
me an Archlinux Developer. (I mean, I can call myself whatever I want so 
I suppose it does but that is irrelevant.)



- kde plasma
- plasma firewall
- dolphin
- ark
- kde system settings
- Konsole
- qgroundcontrol
- konversation
- kio
- kde partition manager
- subsurface
- kde frameworks
- codevis
- kconfigxt

But in the end it’s the maintainers role to see if someone from upstream 
would be useful for arch as a packager, or if he just wants to waste 
more time of a non-paid position for no glory just for the sake of 
helping a distro he uses daily.


I'll gladly waste time on a non-paid position for no glory for the sake 
of helping the distro I use daily. It's called "contributing".


https://wiki.archlinux.org/title/Getting_involved

I maintain AUR packages, troll #aot on IRC, report bugs and try to help 
track them down, use the testing repos and sign off on newly updated 
packages.. None of these things is difficult or overly time consuming 
and making yourself known by doing any one of them will have a 
significant positive impact on your application.



  Today I’ll create an aur component for Codevis, a software to 
visualize large architectures Im developing for the past three years 
(that just got opensourced)


And I’ll also create a GPG key, and sign some email on this thread with it.


I like seeing new stuff going into the AUR. I forgot to mention the 
handful of packages i found on github just to put in the AUR. For 
nothing more than funsies, but they're being used by people which is 
awesome. (And entirely the point.)


I guess my overall point is.. WHY do you want to be a Package Maintainer 
for Archlinux?


OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: Applying for maintainer role

[Tomaz Canabrava]

On Mon, Jul 17, 2023 at 11:16 AM Tomaz Canabrava  wrote:

> Hello Carsten,
>
>
> On Mon, 17 Jul 2023 at 11:41 Carsten Haitzler 
> wrote:
>
>> On Mon, 17 Jul 2023 10:44:37 +0300 Tomaz Canabrava 
>> said:
>>
>> > On Mon, 17 Jul 2023 at 10:25 Jonathan Steel 
>> wrote:
>> >
>> > > On Sun 16 Jul 2023 at 15:37, Tomaz Canabrava wrote:
>> > > > I have experience with packaging (debian, for work) but not on
>> arch, but
>> > > > it’s shell and that thing I can handle :)
>> > >
>> > > Why not show this by maintaining some air packages?
>> >
>> >
>> > Mostly because there is nothing in aur that I use that lacks a
>> maintainer.
>> > But I do have a software that is not packaged yet that I can port to
>> aur.
>> >
>> >
>> >
>> > > > This is not gpg signed and I’m sorry for that, but gian and Antonio
>> can
>> > > > also vouch for me as the validity of this email.
>> > >
>> > > Why is it not signed?
>> >
>> >
>> > Because I don’t have a gpg key, and when the dkim features on the email
>> > already are enough to validate that the email I send is from me.
>> >
>> >
>> > >
>> > > I think you should read
>> https://wiki.archlinux.org/title/Trusted_Users and
>> > > re-submit a signed application showing the minimum requirements are
>> met.
>> >
>> >
>> > I have read the wiki and I have applied to a packager position following
>> > the wiki rules or explaining why I didn’t follow a part of it, i won’t
>> > re-apply because that’s a waste of everyone’s time just for the sake of
>> > ticking boxes.
>> >
>> > Summary:
>> >  - [x] known on the opensource community with multiple, and used,
>> programs
>> > - [x] packaging experience
>> > - [ ] aur / arch package experience
>> > - [x] contributes directly to upstream
>> > - [ ] signed the mail with gpg
>>
>> Then I would reject your application as you don't plan to re-try with a
>> PGP key
>> and don't even have one.
>>
>> A PGP key is used to show that it was YOU and not someone else that
>> signed a
>> package is a basic requirement of maintaining packages on Arch. That has
>> nothing to do with dkim or email. You'll need a PGP key for other things
>> and if
>> you don't have one, you can't maintain packages. Signing your email with
>> a PGP
>> key at least shows you have one and can use it for some basic things. As
>> you're
>> clear you don't have one and have no intention of showing you do by
>> re-applying
>> with a signed email I can't see how you would be able to maintain
>> packages.
>>
>> In addition, you don't have any packaging experience on Arch. The first
>> step
>> is AUR. Get your feet wet somewhere that is simpler like AUR. I would
>> suggest
>> you get some experience there first before you have to deal with
>> submitting
>> community etc. packages that actually have more layers of work to be done
>> over
>> and above what AUR needs, so AUR "work" is like learning the first 50% of
>> what
>> is needed.
>>
>> I think it'd be great if you did arrange to have a PGP key, showed us you
>> have
>> one by signing an application after you've done some AUR packaging for a
>> bit.
>>
>> This is what I did - I maintained some AUR packages for a while then
>> expanded
>> the number I work on and eventually applied to maintain more "core"
>> packages
>> because I too an am upstream.
>>
>> I'm not one of these "I must PGP sign everything" people. I'm not that
>> security-focused about my utterances by e-mail, but I do see the point of
>> it
>> for packaging and I jumped through the hoops to deal with it.
>>
>> I get your feeling of "Why bother - it's just an email", but it's a
>> necessary
>> component in the packaging pipeline and ecosystem. You're not expected to
>> be
>> some PGP guru. You're just expected to be able to sign some package to
>> say it
>> was you that packaged it an that requires you do "jump through some
>> hoops" at
>> this stage. I hope you'll reconsider.
>
>
> That’s completely understandable.
>
>  Today I’ll create an aur component for Codevis, a software to visualize
> large architectures Im developing for the past three years (that just got
> opensourced)
>

Hello,

People are just too fast, as I was trying to start creating an AUR package
for a software I just released, it's already there, so I don't think
there's a need for me to re-create the same thing.
https://aur.archlinux.org/packages/codevis-db-git

I am not the developer of this package, but I could get co-maintainership
of it if the original author wants to share the responsability.
I have also created my GPG key and I can sign e-mails, but I'm behind an
university proxy from Akademy, and I was not able to send the key to a
keyserver.

Tomaz


>
> And I’ll also create a GPG key, and sign some email on this thread with
> it.
>
> Best,
> Tomaz
>
>>
>>
>>
>> --
>> Carsten Haitzler 
>>
>

Re: Applying for maintainer role

[Tomaz Canabrava]

Hello Carsten,


On Mon, 17 Jul 2023 at 11:41 Carsten Haitzler  wrote:

> On Mon, 17 Jul 2023 10:44:37 +0300 Tomaz Canabrava 
> said:
>
> > On Mon, 17 Jul 2023 at 10:25 Jonathan Steel 
> wrote:
> >
> > > On Sun 16 Jul 2023 at 15:37, Tomaz Canabrava wrote:
> > > > I have experience with packaging (debian, for work) but not on arch,
> but
> > > > it’s shell and that thing I can handle :)
> > >
> > > Why not show this by maintaining some air packages?
> >
> >
> > Mostly because there is nothing in aur that I use that lacks a
> maintainer.
> > But I do have a software that is not packaged yet that I can port to aur.
> >
> >
> >
> > > > This is not gpg signed and I’m sorry for that, but gian and Antonio
> can
> > > > also vouch for me as the validity of this email.
> > >
> > > Why is it not signed?
> >
> >
> > Because I don’t have a gpg key, and when the dkim features on the email
> > already are enough to validate that the email I send is from me.
> >
> >
> > >
> > > I think you should read https://wiki.archlinux.org/title/Trusted_Users
> and
> > > re-submit a signed application showing the minimum requirements are
> met.
> >
> >
> > I have read the wiki and I have applied to a packager position following
> > the wiki rules or explaining why I didn’t follow a part of it, i won’t
> > re-apply because that’s a waste of everyone’s time just for the sake of
> > ticking boxes.
> >
> > Summary:
> >  - [x] known on the opensource community with multiple, and used,
> programs
> > - [x] packaging experience
> > - [ ] aur / arch package experience
> > - [x] contributes directly to upstream
> > - [ ] signed the mail with gpg
>
> Then I would reject your application as you don't plan to re-try with a
> PGP key
> and don't even have one.
>
> A PGP key is used to show that it was YOU and not someone else that signed
> a
> package is a basic requirement of maintaining packages on Arch. That has
> nothing to do with dkim or email. You'll need a PGP key for other things
> and if
> you don't have one, you can't maintain packages. Signing your email with a
> PGP
> key at least shows you have one and can use it for some basic things. As
> you're
> clear you don't have one and have no intention of showing you do by
> re-applying
> with a signed email I can't see how you would be able to maintain packages.
>
> In addition, you don't have any packaging experience on Arch. The first
> step
> is AUR. Get your feet wet somewhere that is simpler like AUR. I would
> suggest
> you get some experience there first before you have to deal with submitting
> community etc. packages that actually have more layers of work to be done
> over
> and above what AUR needs, so AUR "work" is like learning the first 50% of
> what
> is needed.
>
> I think it'd be great if you did arrange to have a PGP key, showed us you
> have
> one by signing an application after you've done some AUR packaging for a
> bit.
>
> This is what I did - I maintained some AUR packages for a while then
> expanded
> the number I work on and eventually applied to maintain more "core"
> packages
> because I too an am upstream.
>
> I'm not one of these "I must PGP sign everything" people. I'm not that
> security-focused about my utterances by e-mail, but I do see the point of
> it
> for packaging and I jumped through the hoops to deal with it.
>
> I get your feeling of "Why bother - it's just an email", but it's a
> necessary
> component in the packaging pipeline and ecosystem. You're not expected to
> be
> some PGP guru. You're just expected to be able to sign some package to say
> it
> was you that packaged it an that requires you do "jump through some hoops"
> at
> this stage. I hope you'll reconsider.


That’s completely understandable.

 Today I’ll create an aur component for Codevis, a software to visualize
large architectures Im developing for the past three years (that just got
opensourced)

And I’ll also create a GPG key, and sign some email on this thread with it.

Best,
Tomaz

>
>
>
> --
> Carsten Haitzler 
>

Re: Applying for maintainer role

[Tomaz Canabrava]

On Mon, 17 Jul 2023 at 11:18 Jonathan Steel  wrote:

> On Mon 17 Jul 2023 at 10:44, Tomaz Canabrava wrote:
> > Because I don’t have a gpg key, and when the dkim features on the email
> > already are enough to validate that the email I send is from me.
>
> You will need a GPG key to package. Arch has rules about applying and you
> are
> openly not following them.


I’ll create a gpg key when/if I need, to sign the packages, if arch Linux
votes for me.


> i won’t re-apply because that’s a waste of everyone’s time just for the
> sake
> > of ticking boxes.
>
> I consider an application that does not meet the requirements and has had
> very
> little effort put in to be a waste of time.


That’s true, and I guess I already have your -1 on the votes. Great meeting
you :)

Besides not following rules, I help to maintain with patches upstream as a
maintainer, co-maintainer or just a random person sending patches fixing
bugs the following software set:

- kde plasma
- plasma firewall
- dolphin
- ark
- kde system settings
- Konsole
- qgroundcontrol
- konversation
- kio
- kde partition manager
- subsurface
- kde frameworks
- codevis
- kconfigxt

But in the end it’s the maintainers role to see if someone from upstream
would be useful for arch as a packager, or if he just wants to waste more
time of a non-paid position for no glory just for the sake of helping a
distro he uses daily.

Best.

-- 
> Jonathan Steel
>

Re: Applying for maintainer role

[Jonathan Steel]

On Mon 17 Jul 2023 at 10:44, Tomaz Canabrava wrote:
> Because I don’t have a gpg key, and when the dkim features on the email
> already are enough to validate that the email I send is from me.

You will need a GPG key to package. Arch has rules about applying and you are
openly not following them.

> i won’t re-apply because that’s a waste of everyone’s time just for the sake
> of ticking boxes.

I consider an application that does not meet the requirements and has had very
little effort put in to be a waste of time.

-- 
Jonathan Steel


signature.asc
Description: PGP signature

Re: Applying for maintainer role

[Tomaz Canabrava]

On Mon, 17 Jul 2023 at 10:25 Jonathan Steel  wrote:

> On Sun 16 Jul 2023 at 15:37, Tomaz Canabrava wrote:
> > I have experience with packaging (debian, for work) but not on arch, but
> > it’s shell and that thing I can handle :)
>
> Why not show this by maintaining some air packages?


Mostly because there is nothing in aur that I use that lacks a maintainer.
But I do have a software that is not packaged yet that I can port to aur.



> > This is not gpg signed and I’m sorry for that, but gian and Antonio can
> > also vouch for me as the validity of this email.
>
> Why is it not signed?


Because I don’t have a gpg key, and when the dkim features on the email
already are enough to validate that the email I send is from me.


>
> I think you should read https://wiki.archlinux.org/title/Trusted_Users and
> re-submit a signed application showing the minimum requirements are met.


I have read the wiki and I have applied to a packager position following
the wiki rules or explaining why I didn’t follow a part of it, i won’t
re-apply because that’s a waste of everyone’s time just for the sake of
ticking boxes.

Summary:
 - [x] known on the opensource community with multiple, and used, programs
- [x] packaging experience
- [ ] aur / arch package experience
- [x] contributes directly to upstream
- [ ] signed the mail with gpg

Best,
Tomaz



>
> --
> Jonathan Steel
>

Re: Applying for maintainer role

[Jonathan Steel]

On Sun 16 Jul 2023 at 15:37, Tomaz Canabrava wrote:
> I have experience with packaging (debian, for work) but not on arch, but
> it’s shell and that thing I can handle :)

Why not show this by maintaining some AUR packages?

> This is not gpg signed and I’m sorry for that, but gian and Antonio can
> also vouch for me as the validity of this email.

Why is it not signed?

I think you should read https://wiki.archlinux.org/title/Trusted_Users and
re-submit a signed application showing the minimum requirements are met.

-- 
Jonathan Steel


signature.asc
Description: PGP signature