Re: [aur-general] TU application - bastelfreak
Hi, On 02.11.20 05:31, Brett Cornwall wrote: > On 2020-10-18 17:39, Tim Meusel via aur-general wrote: >> [...] > > It's great that you'd like to improve the quality of the Ruby ecosystem! > Do you have any experience with documentation? I think it'd be nice to > have someone experienced make sure the Ruby/Puppet documentation is up > to snuff. I think writing documentation is an essential part of maintaining packages or any open source project. Nobody will use a project, no matter how good it is, if it's lacking documentation. I am confident enough to document Arch Linux related stuff about Puppet/facter/choria. I don't have the same amount of experience with Ruby applications in general, I'm mostly following what anthraxx recommended me as packaging guidelines. But I'm happy to keep the documentation up2date as well and write down some common pitfalls and best practices. > Are you also interested in maintaining any other types of packages, or > only the Ruby ecosystem? Interested? Yes! Do I have enough time to do it properly? I don't know. I'm also interested in some of the tools from the CNCF landscape, luckily shibumi already started packaging some of them. I don't know yet with how many dependencies I end up with, if the Puppet tools are properly packaged. If there is spare time left I'm happy to also maintain other packages. Cheers, Tim signature.asc Description: OpenPGP digital signature
Re: [aur-general] TU application - bastelfreak
Hey, On 21.10.20 23:41, Jelle van der Waa wrote: > On 18/10/2020 17:39, Tim Meusel via aur-general wrote: >> Hi! >> >> I'm Tim Meusel and I want to spent more time in the Arch Linux community >> and increase the package quality. I first got in touch with open source >> some years ago in the Puppet Community [0] where I started to love >> Puppet and FOSS. At the moment I'm employed at a big ISP where I >> maintain a few thousand systems. My solution of choice for configuration >> management is Puppet because it fulfills all requirements and is easy to >> extend. For a few projects I require up2date systems with modern >> software, that's why i choose Arch Linux. Since Puppet was already >> present in the company, the Arch Linux boxes were puppetized as well. I >> wrote or contributed to multiple packages related to Puppet on Arch >> Linux. foxxx0 and shibumi were so kind to continue maintaining them >> in the official repositories: > > Yay, I like seeing applications who want to help maintain packages which > are already in our repositories! > > Some notes on your AUR packages: > > * choria-io > - 'github.com/choria-io/go-choria/build.BuildDate=$(date '+%F %T %z')' > Recording the build date is non reproducible, will give > reproducibility issues. SOURCE_DATE_EPOCH can be used to make it > reproducible, see https://reproducible-builds.org/docs/source-date-epoch/ Thanks for the note. I will update the PKGBUILD in the next days and also want to do some cleanups. It finally builds and all tests pass, but the PKGBUILD is not yet complete. > > - systemd unit could have some systemd hardening applied, see the wiki > or 'man systemd.exec' > > https://wiki.archlinux.org/index.php/Arch_package_guidelines/Security#Systemd_services thanks for the hint about hardening. To get this working I only copied the unit file that upstream uses as well (but it's not bundled in the source code). I will take a look here and see which options make sense in the unit file and submit them to upstream and the AUR. > * log4r > - Package lacks a license=(), upstream url is no longer valid it seems? ruby-log4r is a pretty sad project. It's dead since a few years but still widely used. It's possible to download the gem from rubygems, but rubygems.org doesn't know the correct license and also has no link to the sourcecode. Because of that, the PKGBUILD does not properly build the gem from source and executes the tests. In my opinion this disqualifies it as an official package. But it's currently a dependency for r10k. I wanted to ensure I can package r10k properly, and that required building log4r as well. I'm currently working with the upstream r10k developers to get rid of log4r as a dependency. Afterwards I can delete/orphan the log4r package and r10k would be ready for an official repo. > > * tftp-hpa-destruct > - systemd service could use some hardening > - how did you obtain the LICENSE file? From their official website? well, years ago I required a tftp service that deletes files after it delivered them. tftp-hpa-destruct has such a patch (that upstream didn't want, which I understand :D). I used the official Arch Linux PKGBUILD for tftp-hpa as a base. It also ships a dedicated LICENSE file. I've no intention to ever get this in any email, so I didn't list it in my initial email. > It's interesting it's not in the official tarball :) > > Greetings, > > Jelle > signature.asc Description: OpenPGP digital signature
Re: [aur-general] TU application - bastelfreak
Hi!
On 21.10.20 20:21, Morten Linderud wrote:
> On Sun, Oct 18, 2020 at 05:39:41PM +0200, Tim Meusel via aur-general wrote:
>> Hi!
>
> Yo!
>
>> Besides working on open source projects, I spent a huge amount of time
>> for my second passion, cooking and doing BBQ. From time to time I also
>> attend ice hockey events as visitor but also as hobby-referee or player.
>
> Yes.. I heard some rumors about team members ice skating and ending up with
> stitches during this years FOSDEM. This might be more useful information then
> you know :D
Good to know! I'm usually around at FOSDEM (at of course config
management camp in Ghent the following three days)
>
>> As a trusted user I would like to co-maintain those packages, enable
>> tests on the PKGBUILDs where tests are currently missing (for example
>> ruby-puppet-resource_api, ruby-semantic_puppet and Puppet), fix the
>> remaining namcap warnings (for example on facter and libwhereami) and
>> also import some other Puppet related tools into the official
>> repository. Some of them are already in the AUR (not all maintained by
>> myself):
>>
>> [snip package list]
>
> How interested would you be to pick up a bit on the Ruby Gem package
> guidelines
> on the wiki, and how are you currently keeping track of package updates?
>
> https://wiki.archlinux.org/index.php/Ruby_Gem_package_guidelines
sure, I already talked a few times to anthraxx about packaging
guidelines for Ruby and want to update the page in the future.
I'm involved in most of the open source projects I created PKGBUILDs
for. besides that I've their rubygems.org release feed in my RSS client
and/or GitHub notifies me about new releases.
>
>> I talked to shibumi and hashworks in the past days, both reviewed the
>> packages and agreed to sponsor my application.
>
> Generally they look nice and I don't spot any major rewrites as part of the
> sponsor reviewing. Which is a good sign I guess! I don't know ruby very well,
> which is why it was *very* fortunate that you uploaded a Go PKGBUILD today :)
> Now I have some pointers!
>
> Generally speaking it's fine. I think the `glibc` in `depends` makes no sense
> when there are other dependencies present, but it's generally not an issue.
>
thanks for this point! I don't have an opinion on adding dependencies
that are already pulled in because other deps also depend on them. I was
a bit unsure here and asked multiple trusted users about this. 50% said
it should be added, 50% were against. anthraxx also recommended adding
it so I went with that.
> Before `prepare` you have listed up 8 environment variables for the go
> compiler,
> generally they should be inside the given functions as makepkg does magic to
> the
> environment between the different prepare/build/check/package steps. So this
> is
> wrong and should be moved inside build and check.
>
> `prepare` is fine, but `$srcdir` is not really needed. But that is more a
> cosmetic thing.
>
> build is fine, but it has a few issues. Where is the build.SHA from? BuildDate
> is set to current time, which is not reproducible. Preferably it should adhere
> to `SOURCE_DATE_EPOCH` as noted by Reproduible Builds like so:
>
> -X 'github.com/choria-io/go-choria/build.BuildDate=$(date
> -d@"${SOURCE_DATE_EPOCH}" '+%F %T %z')'
>
> But apart from that both check and package is fine.
Thanks for all the feedback on the PKGBUILD! I'm pretty new to the Go
world and based this PKGBUILD on the consul/vault ones that are in
community. I managed to build choria properly and execute the tests, but
I'm not yet happy with the PKGBUILD and don't consider it complete. I
will update it in the next days.
>
>> I'm available on Freenode as bastelfreak. I'm pretty active in
>> #archlinux.de and #voxpupuli. My GPG key fingerprint is
>> C10B6298A584A5632E254DA304D659E6BF1C4CC0
>
> As noted in another email, rsa2048 is bordering on weak these days. It would
> be
> preferable to update the keysize if you do get accepted. Preferably as part of
> the application :)
>
Thanks for the note, I'm aware of this. I think it's always a tradeoff
between using an established key with multiple signatures vs a new one
with stronger ciphers. My plan was to create a new key dedicated for TU
work, if I get accepted, and crossign it with my current private key.
Maybe it would have been smarter to send the application directly with a
new key.
>> best regards, Tim
>
> Cheers and good luck!
>
signature.asc
Description: OpenPGP digital signature
[aur-general] TU application - bastelfreak
Hi! I'm Tim Meusel and I want to spent more time in the Arch Linux community and increase the package quality. I first got in touch with open source some years ago in the Puppet Community [0] where I started to love Puppet and FOSS. At the moment I'm employed at a big ISP where I maintain a few thousand systems. My solution of choice for configuration management is Puppet because it fulfills all requirements and is easy to extend. For a few projects I require up2date systems with modern software, that's why i choose Arch Linux. Since Puppet was already present in the company, the Arch Linux boxes were puppetized as well. I wrote or contributed to multiple packages related to Puppet on Arch Linux. foxxx0 and shibumi were so kind to continue maintaining them in the official repositories: * puppet [1] * puppet5 [2] * facter [3] * libwhereami [4] * ruby-deep_merge [5] * ruby-httpclient [6] * ruby-sync [7] * ruby-puppet-resource_api [8] * ruby-semantic_puppet [9] Besides working on open source projects, I spent a huge amount of time for my second passion, cooking and doing BBQ. From time to time I also attend ice hockey events as visitor but also as hobby-referee or player. As a trusted user I would like to co-maintain those packages, enable tests on the PKGBUILDs where tests are currently missing (for example ruby-puppet-resource_api, ruby-semantic_puppet and Puppet), fix the remaining namcap warnings (for example on facter and libwhereami) and also import some other Puppet related tools into the official repository. Some of them are already in the AUR (not all maintained by myself): * fluent-bit (not Puppet related) [10] * ruby-gettext-setup [11] * ruby-minitar [12] * ruby-puppet_forge [13] * ruby-rr [14] * ruby-cri [15] * ruby-test-unit-rr [16] * ruby-fast_gettext [17] * ruby-gettext [18] * ruby-locale [19] * ruby-text [20] * ruby-colored2 [21] * r10k [22] If you check my AUR packages, you might notice the awful ruby-log4r package. That's a dead project where the source code is gone. It's a dependency for r10k. I'm "maintaining" ruby-log4r in the AUR, so I can test and build r10k, but I'm also in contact with the upstream developers to replace this dead dependency. I've no intention to get log4r into any official repository. I talked to shibumi and hashworks in the past days, both reviewed the packages and agreed to sponsor my application. I'm available on Freenode as bastelfreak. I'm pretty active in #archlinux.de and #voxpupuli. My GPG key fingerprint is C10B6298A584A5632E254DA304D659E6BF1C4CC0 best regards, Tim [0] https://voxpupuli.org [1] https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/puppet [2] https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/puppet5 [3] https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/facter [4] https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/libwhereami [5] https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/ruby-deep_merge [6] https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/ruby-httpclient [7] https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/ruby-sync [8] https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/ruby-puppet-resource_api [9] https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/ruby-semantic_puppet [10] https://aur.archlinux.org/packages/fluent-bit#comment-749760 [11] https://aur.archlinux.org/packages/ruby-gettext-setup/#comment-725838 [12] https://aur.archlinux.org/packages/ruby-minitar/#comment-723296 [13] https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=ruby-puppet_forge [14] https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=ruby-rr [15] https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=ruby-cri [16] https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=ruby-test-unit-rr [17] https://aur.archlinux.org/packages/ruby-fast_gettext/#comment-723301 [18] https://aur.archlinux.org/packages/ruby-gettext/#comment-725388 [19] https://aur.archlinux.org/packages/ruby-locale/#comment-723294 [20] https://aur.archlinux.org/packages/ruby-text [21] https://aur.archlinux.org/packages/ruby-colored2/#comment-771053 [22] https://aur.archlinux.org/packages/r10k/#comment-770978 signature.asc Description: OpenPGP digital signature
