Re: [aur-general] [arch-dev-public] AUR migration
[2020-07-28 13:46:23 +0100] Filipe Laíns: > If one machine gets compromised the keys are also compromised. I never suggested to use the same keys for multiple servers. Only that if luna's main purpose is to provide a service and this service is moved to a different host, it makes sense to move the SSH host keys too, and to generate new keys for luna. > None of this happened, when it did hapen in soyuz everyone got properly > notified and had plenty time to get their stuff out, on top of that, > the system was backed up in case someone forgot. I wanted to point out that I consider copying user home directories over to a new host an important part of any migration. Cheers. -- Gaetan signature.asc Description: PGP signature
Re: [aur-general] [arch-dev-public] AUR migration
[2020-07-27 21:10:23 -0300] Giancarlo Razzolini: > Em julho 27, 2020 21:03 Gaetan Bisson escreveu: > > > > It's quite unsettling that we seem to be rushing to write a news post > > while this very reasonable suggestion remains completely ignored. > > > > It wasn't ignored. They keys were deliberately changed in the process. Why? Baptiste rightly points out "it's the same service as before and (presumably) the host private keys were not compromised, so there is no reason to change keys." Yet his message remains unanswered... > I think the issue you refer to happened on the orion -> gemini migration and You are correct. > I personally think that everything that runs as a service on Arch servers > should > be properly tracked on ansible, even if it's a user service. That is certainly a worthy goal but it does not imply that we must kill everything that is not tracked by ansible at every migration. Copying home directories over to the new host used to be standard practice for any administrator of a system which serves multiple users... Cheers. -- Gaetan signature.asc Description: PGP signature
Re: [aur-general] [arch-dev-public] AUR migration
[2020-07-25 00:18:55 +0200] Baptiste Jonglez: > On 24-07-20, Giancarlo Razzolini via arch-dev-public wrote: > > The migration is almost done. Since we are moving to a new machine, it will > > have new host keys. They are: > > > >Ed25519: SHA256:RFzBCUItH9LZS0cKB5UE6ceAYhBD5C8GeOBip8Z11+4 > >ECDSA: SHA256:5s5cIyReIfNNVGRFdDbe3hdYiI5OelHGpw2rOUud3Q8 > >RSA: SHA256:uTa/0PndEgPZTf76e1DFqXKJEXKsn7m9ivhLQtzGOCI > > Can't you just copy the SSH host keys from the old machines? > > It's the same service as before and (presumably) the host private keys > were not compromised, so there is no reason to change keys. It's quite unsettling that we seem to be rushing to write a news post while this very reasonable suggestion remains completely ignored. For future migrations I would greatly appreciate if not all on-disk data were thrown away. On top of SSH keys, there are home directories which contain not only user data but also in some cases things useful for the distro as a whole (such as the service I use to version iana-etc files). Cheers. -- Gaetan signature.asc Description: PGP signature
Re: [aur-general] AUR and unsuported architectures
[2012-07-21 10:15:55 +0200] SanskritFritz: Is there an official consensus about this question? No. I was asked to include 'arm' to the architecture array in fish-shell-git. I have no problems with that, but want to conform to the general recommendations. I would do it and think you should too if this brings little to no maintenance burden. -- Gaetan
Re: [aur-general] TU Application - Andrzej Giniewicz (giniu)
Hi, [2012-06-29 07:53:57 +0200] Andrzej Giniewicz: I'm interested in [...] typography Is there anything specific in this area you'd like to work on in Arch if you're given the chance? Regardless, your application looks great to me; good luck with it! Cheers. -- Gaetan pgpju9QcmLr52.pgp Description: PGP signature
Re: [aur-general] TU Application - György Balló
[2012-03-01 23:35:16 +0100] Heiko Baums: I guess you are kidding, aren't you? Nobody cares what you guess. Just quit posing for an expert on everything already. -- Gaetan
Re: [aur-general] TU Application - György Balló
[2012-03-02 00:13:33 +0100] Heiko Baums: Are you sure that your attitude is the right one? Yes. And that comes from a dev who should know about packaging standards, policies and packaging quality. Such as quoting variables that may contain whitespace? -- Gaetan
Re: [aur-general] TU Application - György Balló
[2012-03-02 01:44:02 +0100] Heiko Baums: Not me. Like I said, nobody cares. But you know what you want to say? If you have problems reading between the lines, try growing up. -- Gaetan
Re: [aur-general] GPG Key Signing
[2011-12-01 09:08:39 -0600] Thomas Dziedzic: I don't think anyone has actually verified that any of the given names are real names. Well, actually, CAcert (which Dan relies on) is all about verifying people's actual identity, in particular their name and birth date. What's important is that you're verified that you use the key to sign your packages in case someone does get compromised or decides to go rogue, then we will have a way to easily track which packages should become void. That feature was already achieved by permissions on gerolde/sigurd... The whole point of package signing is to neutralize attacks against our repositories (our servers but also third-party mirrors). Now those inaccuracies are out of the way: I find Dan's verification requirements quite reasonable, and I am pleased he takes a different approach than other master key holders: what would be the point of everyone verifying the same thing? Yes, that Xyne person (well, it could even be a group of people, for all we know) has pushed good packages to the repos, but developers and trusted users are not just package producing machines, and it doesn't strike me as odd that a distro expects a little transparency from them. Of course, that is only my opinion: verification policy is for each master key holder to decide individually - that's what they were entrusted with when they were selected. -- Gaetan
Re: [aur-general] TU Application - Timothy Redaelli
[2011-11-28 14:20:13 +0100] Andrea Scarpino: I'm sorry Massimiliano, I just read your application and...well...is pretty much a copy-paste. I know Timothy is really motivated, so I hope that he can explain the whole story. Where I come from, plagiarism is a serious offense. It seems to my non-TU eyes that writing an original application is the least Timothy could do... -- Gaetan
Re: [aur-general] TU Application - Timothy Redaelli
[2011-11-29 14:12:31 +0200] Hector Martinez-Seara: I'm starting to be sick about this thing of plagiarism. So you see nothing wrong with passing somebody else's sentences (hell, paragraphs even!) as your own? That's disturbing, to say the least. If something has been done fine once why to reinvent the wheel. What purpose do you think an application serves when you only have to fill in the blanks? Maybe the only thing that was done wrong in this case was not to add the correct citation to the original source. ... or just fail to mention that there was a source at all - that's precisely what plagiarism is; thanks for making my point. -- Gaetan
Re: [aur-general] how do i remove a aur package
[2011-11-28 22:49:16 -0600] Angel Dreams: hi guys how do i remove a package? Disownment requests and removal reuqests go to the aur-general mailing list for TUs and other users to decide upon. From: https://wiki.archlinux.org/index.php/AUR_User_Guidelines#Other_requests Cheers. -- Gaetan
[aur-general] ML etiquette and bounces (was: TU Resignation)
[2011-11-22 00:24:53 +0100] Karol Blazewicz: Can somebody enlighten me what happened with this ML discussion? A quick look at the headers suggests that somebody messed up their mail server and started bouncing messages back to the list. They have now been blacklisted. I'm not well-versed in the ML-foo That is easily fixed: http://catb.org/~esr/faqs/smart-questions.html#uselists http://www.freebsd.org/doc/en/articles/mailing-list-faq/etiquette.html etc. -- Gaetan
[aur-general] SLiM up for adoption
Hi devs, Hi TUs, I am orphaning SLiM (login manager): upstream is dead, patches keep piling up, and I actually stopped using that package a while ago. As far as I know, our current package has only one unfixed bug: https://bugs.archlinux.org/task/26579 Anyhow, I will move that package to the AUR in a week or so unless a dev or a TU wishes to adopt it. Cheers. -- Gaetan
Re: [aur-general] [broadcom-wl] kernel panic
[2011-10-24 01:44:50 -0200] Vitor Eiji Justus Sakaguti: On Mon, Oct 24, 2011 at 12:52 AM, Dave Reisner d...@falconindy.com wrote: On Mon, Oct 24, 2011 at 12:45:04AM -0200, Vitor Eiji Justus Sakaguti wrote: Hi, Just a heads up to all users of broadcom-wl: a lot of people (myself included) have been reporting kernel panics at boot time after upgrade to current version, so if you're planing to upgrade, be sure to have a live cd around to chroot into your system. There are still no known workarounds other than blacklisting the wl module (thus disabling wireless board) or removing the package. [1] http://aur.archlinux.org/packages.php?ID=19514 Good luck! Vitor Or just blacklist the module from the kernel cmdline via modprobe.blacklist=wl. Kind of what I said (less verbosely). No. Dave's point is that you don't need a LiveCD: you can just add modprobe.blacklist=wl as a parameter to your kernel in the boot loader. -- Gaetan
Re: [aur-general] Replacing nexuiz with xonotic
[2011-10-21 08:45:46 +0200] Dieter Plaetinck: On Fri, 21 Oct 2011 02:50:31 +0200 Sven-Hendrik Haase s...@lutzhaase.com wrote: I'd like to see nexuiz replaced by xonotic in [community]. Problem is that nexuiz is still a fairly popular package despite being dead upstream. xonotic devs recommend dropping nexuiz in favor of xonotic. Technically, xonotic does not replace nexuiz because its gameplay is somewhat different. I'd like some opinions on this. hi, imho: different game - additional package nexuiz still popular - keep package as is. My two cents: I'm of those who believe that we can't keep throwing 1GB packages in the repos like there's no tomorrow. So if nexuiz and xonotic are quite similar, it makes sense to only package one of them and save the extra gigabyte for a different game. -- Gaetan
Re: [aur-general] Replacing nexuiz with xonotic
[2011-10-21 10:00:37 +0200] Massimiliano Torromeo: If the sizes of the packages are problematic that's a different issue. Okay. Suppose that issue isn't entirely theoretical. How do we solve it? -- Gaetan
Re: [aur-general] Head over Heels (hoh 1.01-5) download problems
[2011-09-23 10:54:23 +0200] SanskritFritz: The problem is that makepkg uses wget to download the sources Just a note: curl will be the default in the next release. The previous AUR maintainer of hoh solved this issue simply by hosting the file on his site (which is allowed, settled through email with the author). Spoofing the user-agent in with 'wget --user-agent' or using curl works ok. My question is, what is the recommended way now. Should I host the file somewhere, or should I modify the PKGBUILD so that it downloads and unpacks the source manually, or is there another way I overlooked? The cleanest way should be to just add DLAGENTS=('http::/usr/bin/curl -fLC - --retry 3 --retry-delay 3 -o %o %u') next to the source=() array in the PKGBUILD, with a comment explaining the situation. -- Gaetan
Re: [aur-general] Delete Request
[2011-07-27 08:11:52 +0800] Auguste Pop: audacious2 was there It was uploaded today. -- Gaetan
Re: [aur-general] AUR Copyright
[2011-02-06 13:22:20 -0700] Thomas S Hatch: Realy I think that this is a simple thing, that we should just post some statement that says that anything uploaded to the AUR can be absorbed into the Arch Linux distribution. This disclaimer should not be limited to Arch, IMHO: sister projects might also benefit from importing AUR stuff. I would suggest something like: By uploading content to the Arch User Repository, you irrevocably agree to release it in the public domain, to the extent permitted by law. -- Gaetan
Re: [aur-general] AUR Copyright
[2011-02-06 19:28:38 -0200] Bernardo Barros: 2011/2/6 Gaetan Bisson bis...@archlinux.org: By uploading content to the Arch User Repository, you irrevocably agree to release it in the public domain, to the extent permitted by law. GPL would do no harm to Arch either. And pieces of code with less then 10 lines can't have any copyright. The difference in practice is minimal, since it is very unlikely that this piece of code would integrate a non-free software, even including big patches and tricky things. Since there is little difference, why choose a complicated license such as the GPL over the (much simpler) public domain? The pratical differente I can see is the need to keep the attribution when it makes sense. If you rewrite everything from scratch, you are the author anyway. Rewriting from scratch is okay for one PKGBUILD, but I believe we should also allow people to copy the whole database. -- Gaetan
Re: [aur-general] deletion request
[2010-11-19 13:24:09 +] Christopher Brannon: Seblu se...@seblu.net writes: package: dnstracer Reson: Is in community Deleted, thanks. Thanks, that was fast. Could you also delete (same reason): - pari http://aur.archlinux.org/packages.php?ID=19196 - collectd http://aur.archlinux.org/packages.php?ID=2341 - liboping http://aur.archlinux.org/packages.php?ID=24752 -- Gaetan pgppwQ4ufMUTD.pgp Description: PGP signature
[aur-general] Various new packages in [community]
Dear TUs, I'm Gaetan, a (discreet) junior dev, mentored by Allan. I recently got access to sigurd and thought I would use that opportunity to maintain in [community] a few packages I have been maintaining on the AUR so far, but which are just a bit too unpopular to go to [extra]: pari (fast advanced calculator) http://aur.archlinux.org/packages.php?ID=19196 dnstracer (DNS diagnosis tool) http://aur.archlinux.org/packages.php?ID=3229 collectd (performance collecting daemon) http://aur.archlinux.org/packages.php?ID=2341 They have over thirty votes each. Is it okay by everyone? Cheers. -- Gaetan
[aur-general] delete request ttf-hannom-usong
Dear TUs, I uploaded two new fonts with CJK glyph coverage to [extra] yesterday: ttf-baekmuk and ttf-hannom. The former appears to be gone from AUR, so many thanks to the person who took care of removing it. Could you please remove ttf-hannom-usong too? http://aur.archlinux.org/packages.php?ID=31333 Thanks. -- Gaetan
[aur-general] new packages in [extra]
Dear TUs, The following packages have been added to [extra], so their counterparts can safely be removed from the AUR. libcue http://aur.archlinux.org/packages.php?ID=25766 libguesshttp://aur.archlinux.org/packages.php?ID=39416 ttf-sazanamihttp://aur.archlinux.org/packages.php?ID=6268 vim-spell-bghttp://aur.archlinux.org/packages.php?ID=21898 vim-spell-cshttp://aur.archlinux.org/packages.php?ID=15551 vim-spell-dehttp://aur.archlinux.org/packages.php?ID=13863 vim-spell-frhttp://aur.archlinux.org/packages.php?ID=15155 vim-spell-huhttp://aur.archlinux.org/packages.php?ID=32262 vim-spell-ithttp://aur.archlinux.org/packages.php?ID=13929 vim-spell-nlhttp://aur.archlinux.org/packages.php?ID=26366 vim-spell-plhttp://aur.archlinux.org/packages.php?ID=19509 vim-spell-pthttp://aur.archlinux.org/packages.php?ID=21997 vim-spell-rohttp://aur.archlinux.org/packages.php?ID=32263 vim-spell-skhttp://aur.archlinux.org/packages.php?ID=27116 vim-spell-slhttp://aur.archlinux.org/packages.php?ID=35345 Best. -- Gaetan