Re: [arch-dev-public] When rebuilding, *please* check open bug reports
On 31 May 2012 15:12, Dan McGee wrote: > tl;dr: if you bump a package version, *please* check bug reports while > doing so, especially if it isn't your package. It isn't helpful to > just have the latest and greatest if we have outstanding bugs. You're totally right. Due to my hurry, I forgot to check for opened bugs this time. I agree we should check every time for opened bugs. Sorry for the noise. Regards -- Andrea
[arch-dev-public] When rebuilding, *please* check open bug reports
Hey guys, This isn't meant to call out a specific case, as I've seen a bit of this lately, and I'm by no means singling out Andrea or the Postgis package on this. However, the postgis (https://www.archlinux.org/packages/community/x86_64/postgis/) pacakge was rebuilt today but the bug reports were not looked at which contained a very valid request as well as a patch for the build script, and it was bumped without the bug report being considered or looked at as far as I can tell. tl;dr: if you bump a package version, *please* check bug reports while doing so, especially if it isn't your package. It isn't helpful to just have the latest and greatest if we have outstanding bugs. Thanks, -Dan
Re: [arch-dev-public] Proposed news item: Package verification
[2012-05-02 23:38:22 +0200] Gaetan Bisson: > However, the install message is drown in the flood of packages, so most > users will likely struggle when they run pacman next. All in all, that seems like a minor con, especially since, on top of the install message, we'll have a news post about this. It is far outweighed by the pro of bringing users' setups to the same page as ours. Attached are an updated proposed news post and pacman-4.0.3-2 release. Please do have a look and let me know if you disagree with anything. I would like to push this to [testing] in a couple of days or so. Cheers. -- Gaetan Title: Having pacman verify packages Over the past six months, pacman has had package verification features, although they were turned off while we were still figuring out the details of our public-key infrastructure. They have been enabled in pacman-4.0.3-2; when you upgrade, you will be prompted to run: pacman-key --init pacman-key --populate archlinux This sets up a local keyring for pacman, and populates it with the data needed to authenticate official packages. This includes five master keys used to authenticate official Arch Linux packagers (developers and trusted users), so you do not need to know who joins or leaves the team: you only have to verify those five master keys once and for all. The populate command will prompt you to do so; please do this cautiously by checking the fingerprints displayed against https://www.archlinux.org/master-keys/";>those published on our website. Then, merge your pacman.conf with pacman.conf.new, that is, enable package verification through the SigLevel option, and you should be good to go. For details on the development of pacman and archlinux-keyring, see the blog posts of http://allanmcrae.com/2011/12/pacman-package-signing-4-arch-linux/";>Allan and https://pierre-schmitz.com/verify-all-the-packages/";>Pierre. diff -Naur old/pacman.conf new/pacman.conf --- old/pacman.conf 2012-05-31 22:15:59.600458792 +1000 +++ new/pacman.conf 2012-05-31 22:35:29.778949346 +1000 @@ -36,18 +36,13 @@ CheckSpace #VerbosePkgLists -# PGP signature checking -# NOTE: None of this will work without running `pacman-key --init` first. -# The compiled in default is equivalent to the following line. This requires -# you to locally sign and trust packager keys using `pacman-key` for them to be -# considered valid. +# By default, pacman accepts packages signed by keys that its local keyring +# trusts (see pacman-key and its man page), as well as unsigned packages. #SigLevel = Optional TrustedOnly -# If you wish to check signatures but avoid local sign and trust issues, use -# the following line. This will treat any key imported into pacman's keyring as -# trusted. -#SigLevel = Optional TrustAll -# For now, off by default unless you read the above. -SigLevel = Never + +# NOTE: You must run `pacman-key --init` before first using pacman; the local +# keyring can then be populated with the keys of all official Arch Linux +# packagers with `pacman-key --populate archlinux`. # # REPOSITORIES @@ -77,11 +72,11 @@ #Include = /etc/pacman.d/mirrorlist [core] -#SigLevel = PackageRequired +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [extra] -#SigLevel = PackageOptional +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist #[community-testing] @@ -89,7 +84,7 @@ #Include = /etc/pacman.d/mirrorlist [community] -#SigLevel = PackageOptional +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist # An example of a custom package repository. See the pacman manpage for diff -Naur old/pacman.conf.x86_64 new/pacman.conf.x86_64 --- old/pacman.conf.x86_64 2012-05-31 22:15:59.600458792 +1000 +++ new/pacman.conf.x86_64 2012-05-31 22:38:21.699215405 +1000 @@ -36,18 +36,13 @@ CheckSpace #VerbosePkgLists -# PGP signature checking -# NOTE: None of this will work without running `pacman-key --init` first. -# The compiled in default is equivalent to the following line. This requires -# you to locally sign and trust packager keys using `pacman-key` for them to be -# considered valid. +# By default, pacman accepts packages signed by keys that its local keyring +# trusts (see pacman-key and its man page), as well as unsigned packages. #SigLevel = Optional TrustedOnly -# If you wish to check signatures but avoid local sign and trust issues, use -# the following line. This will treat any key imported into pacman's keyring as -# trusted. -#SigLevel = Optional TrustAll -# For now, off by default unless you read the above. -SigLevel = Never + +# NOTE: You must run `pacman-key --init` before first using pacman; the local +# keyring can then be populated with the keys of all official Arch Linux +# packagers with `pacman-key --populate archlinux`. # # REPOSITORIES @@ -77,11 +72,11 @@ #Include = /etc/pacman.d/mirrorlist [core] -#SigLevel = PackageRequired +SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist
[arch-dev-public] Signoff report for [testing]
=== Signoff report for [testing] === https://www.archlinux.org/packages/signoffs/ There are currently: * 8 new packages in last 24 hours * 0 known bad packages * 0 packages not accepting signoffs * 14 fully signed off packages * 191 packages missing signoffs * 0 packages older than 14 days (Note: the word 'package' as used here refers to packages as grouped by pkgbase, architecture, and repository; e.g., one PKGBUILD produces one package per architecture, even if it is a split package.) == New packages in [testing] in last 24 hours (8 total) == * procps-ng-3.3.3-1 (i686) * procps-ng-3.3.3-1 (x86_64) * bluez-4.99-6 (i686) * systemd-183-6 (i686) * xorg-server-1.12.2-1 (i686) * bluez-4.99-6 (x86_64) * systemd-183-6 (x86_64) * xorg-server-1.12.2-1 (x86_64) == Incomplete signoffs for [core] (14 total) == * btrfs-progs-0.19.20120328-3 (i686) 0/2 signoffs * cryptsetup-1.4.2-2 (i686) 0/2 signoffs * dmraid-1.0.0.rc16.3-5 (i686) 0/2 signoffs * gpm-1.20.6-8 (i686) 1/2 signoffs * libpipeline-1.2.1-1 (i686) 1/2 signoffs * lvm2-2.02.95-6 (i686) 0/2 signoffs * mkinitcpio-nfs-utils-0.3-3 (i686) 0/2 signoffs * pinentry-0.8.1-4 (i686) 1/2 signoffs * procps-ng-3.3.3-1 (i686) 0/2 signoffs * cryptsetup-1.4.2-2 (x86_64) 0/2 signoffs * dmraid-1.0.0.rc16.3-5 (x86_64) 0/2 signoffs * libpipeline-1.2.1-1 (x86_64) 1/2 signoffs * mkinitcpio-nfs-utils-0.3-3 (x86_64) 0/2 signoffs * procps-ng-3.3.3-1 (x86_64) 0/2 signoffs == Incomplete signoffs for [extra] (177 total) == * bluez-4.99-6 (i686) 0/2 signoffs * cairo-perl-1.082-2 (i686) 0/2 signoffs * chromium-19.0.1084.52-2 (i686) 0/2 signoffs * claws-mail-extra-plugins-3.8.0-3 (i686) 0/2 signoffs * consolekit-0.4.6-4 (i686) 0/2 signoffs * fcpci-31107-75 (i686) 0/2 signoffs * fcpcmcia-31107-70 (i686) 0/2 signoffs * frozen-bubble-2.2.1beta1-4 (i686) 0/2 signoffs * gc-7.2-1 (i686) 0/2 signoffs * gconf-perl-1.044-7 (i686) 0/2 signoffs * glade-perl-1.007-6 (i686) 0/2 signoffs * glib-perl-1.260-1 (i686) 0/2 signoffs * gnome-perl-1.042-8 (i686) 0/2 signoffs * gnome-vfs-perl-1.081-5 (i686) 0/2 signoffs * gnomecanvas-perl-1.002-10 (i686) 0/2 signoffs * gnumeric-1.10.17-2 (i686) 0/2 signoffs * graphicsmagick-1.3.15-2 (i686) 0/2 signoffs * graphviz-2.28.0-10 (i686) 0/2 signoffs * gtk2-perl-1.244-1 (i686) 0/2 signoffs * gvfs-1.12.3-2 (i686) 0/2 signoffs * imagemagick-6.7.7.0-1 (i686) 1/2 signoffs * irssi-0.8.15-6 (i686) 0/2 signoffs * kdebindings-perlkde-4.8.3-2 (i686) 0/2 signoffs * kdebindings-perlqt-4.8.3-2 (i686) 0/2 signoffs * kdelibs-4.8.3-2 (i686) 0/2 signoffs * libatasmart-0.18-2 (i686) 0/2 signoffs * libcanberra-0.28-5 (i686) 0/2 signoffs * libproxy-0.4.7-2 (i686) 0/2 signoffs * lighttpd-1.4.30-6 (i686) 0/2 signoffs * lirc-1:0.9.0-18 (i686) 0/2 signoffs * mesa-8.0.3-2 (i686) 0/2 signoffs * mod_perl-2.0.6-1 (i686) 0/2 signoffs * net-snmp-5.7.1-3 (i686) 0/2 signoffs * nvidia-295.53-2 (i686) 0/2 signoffs * pango-perl-1.223-2 (i686) 0/2 signoffs * perl-async-interrupt-1.10-2 (i686) 0/2 signoffs * perl-bit-vector-7.2-2 (i686) 0/2 signoffs * perl-compress-bzip2-2.09-5 (i686) 0/2 signoffs * perl-crypt-openssl-bignum-0.04-7 (i686) 0/2 signoffs * perl-crypt-openssl-random-0.04-7 (i686) 0/2 signoffs * perl-crypt-openssl-rsa-0.28-3 (i686) 0/2 signoffs * perl-crypt-ssleay-0.58-4 (i686) 0/2 signoffs * perl-dbd-mysql-4.020-3 (i686) 0/2 signoffs * perl-dbd-sqlite-1.35-2 (i686) 0/2 signoffs * perl-dbi-1.618-2 (i686) 0/2 signoffs * perl-digest-nilsimsa-0.06-8 (i686) 0/2 signoffs * perl-digest-sha1-2.13-3 (i686) 0/2 signoffs * perl-ev-4.11-2 (i686) 0/2 signoffs * perl-event-1.20-2 (i686) 0/2 signoffs * perl-fcgi-0.74-3 (i686) 0/2 signoffs * perl-guard-1.022-2 (i686) 0/2 signoffs * perl-html-parser-3.69-2 (i686) 0/2 signoffs * perl-libintl-perl-1.20-4 (i686) 0/2 signoffs * perl-list-moreutils-0.33-3 (i686) 0/2 signoffs * perl-locale-gettext-1.05-9 (i686) 0/2 signoffs * perl-net-dns-0.68-2 (i686) 0/2 signoffs * perl-net-ssleay-1.48-2 (i686) 0/2 signoffs * perl-netaddr-ip-4.058-2 (i686) 0/2 signoffs * perl-sdl-2.536-1 (i686) 0/2 signoffs * perl-socket6-0.23-2 (i686) 0/2 signoffs * perl-template-toolkit-2.22-5 (i686) 0/2 signoffs * perl-term-readkey-2.30.02-2 (i686) 0/2 signoffs * perl-text-iconv-1.7-7 (i686) 0/2 signoffs * perl-time-hires-1.9725-2 (i686) 0/2 signoffs * perl-tk-804.030-3 (i686) 0/2 signoffs * perl-unicode-string-2.09-7 (i686) 0/2 signoffs * perl-xml-parser-2.41-3 (i686) 0/2 signoffs * perl-yaml-syck-1.20-2 (i686) 0/2 signoffs * php-5.4.3-3 (i686) 0/2 signoffs * pidgin-2.10.4-2 (i686) 0/2 signoffs * pixman-0.26.0-1 (i686) 0/2 signoffs * postgresql-9.1.3-2 (i686) 1/2 signoffs * pulseaudio-2.0-2 (i686) 0/2 signoffs * razor-2.84-7 (i686) 0/2 sign
