[arch-dev-public] Signoff report for [testing]
=== Signoff report for [testing] === https://www.archlinux.org/packages/signoffs/ There are currently: * 12 new packages in last 24 hours * 1 known bad package * 2 packages not accepting signoffs * 20 fully signed off packages * 102 packages missing signoffs * 20 packages older than 14 days (Note: the word 'package' as used here refers to packages as grouped by pkgbase, architecture, and repository; e.g., one PKGBUILD produces one package per architecture, even if it is a split package.) == New packages in [testing] in last 24 hours (12 total) == * glib2-2.30.2-1 (i686) * kernel26-lts-2.6.32.48-1 (i686) * linux-3.1.1-1 (i686) * run-parts-4.0.4-1 (i686) * glib2-2.30.2-1 (x86_64) * kernel26-lts-2.6.32.48-1 (x86_64) * linux-3.1.1-1 (x86_64) * run-parts-4.0.4-1 (x86_64) * nouveau-drm-lts-0.0.16_20100313-7 (i686) * nvidia-lts-285.05.09-2 (i686) * nouveau-drm-lts-0.0.16_20100313-7 (x86_64) * nvidia-lts-285.05.09-2 (x86_64) == Incomplete signoffs for [core] (26 total) == * glib2-2.30.2-1 (i686) 0/2 signoffs * heirloom-mailx-12.5-3 (i686) 1/2 signoffs * isdn4k-utils-3.2p1-7 (i686) 1/2 signoffs * jfsutils-1.1.15-3 (i686) 1/2 signoffs * kernel26-lts-2.6.32.48-1 (i686) 1/2 signoffs * librpcsecgss-0.19-7 (i686) 0/2 signoffs * linux-atm-2.5.2-1 (i686) 0/2 signoffs * ppp-2.4.5-3 (i686) 0/2 signoffs * pptpclient-1.7.2-4 (i686) 0/2 signoffs * reiserfsprogs-3.6.21-4 (i686) 0/2 signoffs * rfkill-0.4-3 (i686) 1/2 signoffs * rpcbind-0.2.0-5 (i686) 1/2 signoffs * run-parts-4.0.4-1 (i686) 1/2 signoffs * sdparm-1.06-2 (i686) 1/2 signoffs * xfsprogs-3.1.6-1 (i686) 0/2 signoffs * glib2-2.30.2-1 (x86_64) 0/2 signoffs * isdn4k-utils-3.2p1-7 (x86_64) 1/2 signoffs * jfsutils-1.1.15-3 (x86_64) 1/2 signoffs * kernel26-lts-2.6.32.48-1 (x86_64) 1/2 signoffs * librpcsecgss-0.19-7 (x86_64) 0/2 signoffs * linux-atm-2.5.2-1 (x86_64) 0/2 signoffs * ppp-2.4.5-3 (x86_64) 1/2 signoffs * pptpclient-1.7.2-4 (x86_64) 1/2 signoffs * reiserfsprogs-3.6.21-4 (x86_64) 0/2 signoffs * run-parts-4.0.4-1 (x86_64) 0/2 signoffs * xfsprogs-3.1.6-1 (x86_64) 0/2 signoffs == Incomplete signoffs for [extra] (74 total) == * namcap-3.2.1-1 (any) 0/2 signoffs * qt-doc-4.8.0rc1-1 (any) 0/2 signoffs * alex-2.3.5-1.3 (i686) 1/2 signoffs * alsa-plugins-1.0.24-3 (i686) 0/2 signoffs * amarok-2.4.3-2 (i686) 0/2 signoffs * audacious-plugins-3.1-4 (i686) 0/2 signoffs * avidemux-2.5.5-5 (i686) 0/2 signoffs * blender-3:2.60a-2 (i686) 0/2 signoffs * cabal-install-0.10.2-1.1 (i686) 1/2 signoffs * cmus-2.4.2-2 (i686) 0/2 signoffs * ffmpeg-2008-1 (i686) 0/2 signoffs * ffmpegthumbnailer-2.0.7-2 (i686) 0/2 signoffs * gegl-0.1.6-2 (i686) 0/2 signoffs * gstreamer0.10-ugly-0.10.18-4 (i686) 0/2 signoffs * happy-1.18.6-1.2 (i686) 1/2 signoffs * jack-0.121.3-2 (i686) 0/2 signoffs * k3b-2.0.2-3 (i686) 0/2 signoffs * kdelibs-4.7.3-2 (i686) 0/2 signoffs * kdemultimedia-4.7.3-2 (i686) 0/2 signoffs * kradio-4.0.2-2 (i686) 0/2 signoffs * kwebkitpart-1.2.0-2 (i686) 0/2 signoffs * libffado-2.0.1-4 (i686) 0/2 signoffs * mediastreamer-2.7.3-4 (i686) 0/2 signoffs * miro-4.0.3-2 (i686) 0/2 signoffs * moc-20110528-4 (i686) 0/2 signoffs * mpd-0.16.5-2 (i686) 0/2 signoffs * mplayer-34283-1 (i686) 0/2 signoffs * nouveau-drm-lts-0.0.16_20100313-7 (i686) 0/2 signoffs * nvidia-lts-285.05.09-2 (i686) 0/2 signoffs * opal-3.10.2-3 (i686) 0/2 signoffs * opencv-2.3.1-2 (i686) 0/2 signoffs * proftpd-1.3.4-1 (i686) 0/2 signoffs * pyalpm-0.5.3-1 (i686) 0/2 signoffs * pyqt-4.8.6-2 (i686) 0/2 signoffs * qt-4.8.0rc1-1 (i686) 0/2 signoffs * sox-14.3.2-4 (i686) 0/2 signoffs * transcode-1.1.5-7 (i686) 0/2 signoffs * vlc-1.1.12-2 (i686) 0/2 signoffs * x264-20111030-1 (i686) 0/2 signoffs * xine-lib-1.1.19-6 (i686) 0/2 signoffs * alex-2.3.5-1.3 (x86_64) 0/2 signoffs * alsa-plugins-1.0.24-3 (x86_64) 1/2 signoffs * amarok-2.4.3-2 (x86_64) 0/2 signoffs * audacious-plugins-3.1-4 (x86_64) 0/2 signoffs * avidemux-2.5.5-5 (x86_64) 0/2 signoffs * blender-3:2.60a-2 (x86_64) 0/2 signoffs * cabal-install-0.10.2-1.1 (x86_64) 0/2 signoffs * cmus-2.4.2-2 (x86_64) 1/2 signoffs * ffmpeg-2008-1 (x86_64) 1/2 signoffs * ffmpegthumbnailer-2.0.7-2 (x86_64) 1/2 signoffs * gegl-0.1.6-2 (x86_64) 0/2 signoffs * gstreamer0.10-ugly-0.10.18-4 (x86_64) 1/2 signoffs * happy-1.18.6-1.2 (x86_64) 0/2 signoffs * jack-0.121.3-2 (x86_64) 0/2 signoffs * k3b-2.0.2-3 (x86_64) 0/2 signoffs * kdemultimedia-4.7.3-2 (x86_64) 1/2 signoffs * kradio-4.0.2-2 (x86_64) 0/2 signoffs * kwebkitpart-1.2.0-2 (x86_64) 0/2 signoffs * libffado-2.0.1-4 (x86_64) 0/2 signoffs * mediastreamer-2.7.3-4 (x86_64) 0/2 signoffs * miro-4.0.3-2 (x86_64) 0/2 signoffs * moc-20110528-4 (x86_64) 0/2 signoffs * mplayer-34283-1
Re: [arch-dev-public] sign packages on alderaan
On 12 November 2011 08:04, Ionut Biru ib...@archlinux.org wrote: On 11/12/2011 01:59 AM, Dan McGee wrote: On Fri, Nov 11, 2011 at 5:56 PM, Ionut Biru ib...@archlinux.org wrote: On 11/12/2011 01:43 AM, Ray Rashif wrote: On 12 November 2011 07:35, Dan McGee dpmc...@gmail.com wrote: On Fri, Nov 11, 2011 at 5:31 PM, Ray Rashif sc...@archlinux.org wrote: On 31 October 2011 02:06, Florian Pritz bluew...@xinu.at wrote: So far the only solution is to download the finished package, sign it locally using gpg --detach-sign file and then uploading the signature back to pkgbuild.com so commitpkg will find it. Did something change WRT this workflow now? I'm getting signature-incorrect from commitpkg. I did sign like this 2 times before (opencv and cinelerra-cv), so it did work recently. gpg --verify outputs: gpg: Can't check signature: public key not found But this is normal, and the public key was not there for the previous 2 times. Or was gpg --verify not there in commitpkg before? Do I now need to import my public key on alderaan? Is your key in your keychain on alderaan? Probably not from what this looks like. Easy to check- `gpg --list-keys 0xfoobar`. -Dan Nope. That was what I was asking - whether I need to add it. The last 2 times that I pushed signed packages from alderaan I didn't do anything gpg-related remotely. Anyway, imported the key now so all is good again. -- GPG/PGP ID: C0711BF1 don't import any key on alderaan. Hmm? He is trying to *verify*, meaning he needs his *public* key. This has nothing to do with signing or private keys. It make a heck of a lot more sense bandwidth-wise for him to upload the signature file to alderaan than upload both the package and signature from his local machine, so why should he not be able to do that? The `gpg --verify` call is there to make sure developers don't accidentally upload mismatched packages and corresponding signature files, which could easily happen when doing test builds and --nosign, etc. -Dan well, i understood that he signed the package on alderaan... Then you misunderstood. My reply to the topic meant I was referring to the only workaround to sign packages on alderaan, which is to build, download packages, sign locally, upload signatures, and then push wholesale. I followed that process on 2 previous occasions and there was no complaint even when there was no public key on the remote machine, but this time commitpkg complained about the signatures. So I only wanted to know whether I did anything wrong. Anyway, it's now evident that the verification was not there before. Importing a public key poses no risk (done with --recv-keys), so there is also no need to change anything in commitpkg. -- GPG/PGP ID: C0711BF1
[arch-dev-public] WARNING: Qt 4.8 removal
Hi, I just removed the qt package and the qtwebkit one from [testing]. You already know the reason, if you don't, see [1]. The Qt team has not a public release schedule and we cannot wait the final release anymore. You can downgrade to Qt 4.7 using `pacman -Syuu`. Qtwebkit conflicts with Qt 4.7, then we do not expect any problem here. The packages which depend on qtwebkit have been removed too. Cheers [1] http://mailman.archlinux.org/pipermail/arch-dev-public/2011- November/022064.html -- Andrea