On 19/02/11 22:55, Daniel Mendler wrote:
Hi Allan
I will repeat myself again... Patches for pacman do bugger all for
getting signatures into Arch Linux repos. Patches for the Arch Linux
devtools/db-scripts packages are needed.
Well, Pierre says the same for pacman. Someone has to take the first
initiative here.
Well, he is wrong... :P
I will post why in reply to that message soon.
And I will once again point to the package signing TODO page for a list
of what we need to do at a minimum before this becomes integrated in the
main pacman branch:
https://wiki.archlinux.org/index.php/User:Allan/Package_Signing
As with all feature branches, they integrated into master when they are
finished. Otherwise we can not make a release without actually getting
it fully completed or backing out the unfinished work. Given the rate
this has been developed, the second seems the likely outcome.
I understand that it should be finished before it is merged. What is
missing is a strong statement from the development team that they want
signatures asap. I think there are enough people who are willing to
provide patches (me included) if you show real interest in package signing.
What a load of bullshit. The first patch was submitted over two years
ago and immediately pulled into a branch. But as has happened
repeatedly, that person disappeared and never finished. All further
work by other people was also reviewed and/or pulled to one of the main
developers git branches fairly quickly after posting. And we have
repeatedly said "patches welcome". I'm not sure how much clearer we
could be that this is an area that we would be happy for people to work on.
Finally, "minor" performance issues interest me a hell of a lot more
than package signing. Mainly because that actually affects me whereas
unsigned packages really does not... That is why I spent my free time
implementing them. Thinking about it, improving optdepends handling,
transaction hooks, VCS support in makepkg, adding a test suite for
makepkg, automatic creation of debug packages, .... all affect me more
than package signing does, so I maybe will start work on package signing
again once those are finished.
You really have to rethink your priority list here. Those attacks on
package managers are known for a long time and the package signing point
has come up very often on the pacman mailing list. So there are people
who are concerned about it.
As I said, it really does not affect me. I use the master server for my
repo db downloads and know exactly which package updates to expect given
I see all commits to our svn repos. So the scope in which I could be
attacked is very small and I am prepared to take that risk. So my
priorities are clearly different to other peoples. The key difference
is, I submit patches to implement what I consider a priority...
Allan
