Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function
Hello Samuel, On Sun, 2023-10-29 at 18:05 +, Samuel Henrique wrote: > $ dcut dm --uid "Sven Geuer" --allow argon2 > Uploading commands file to ftp.upload.debian.org (incoming: > /pub/UploadQueue/) > Picking DM Sven Geuer with fingerprint > 3DF5E8AA43FC9FDFD086F195ADF50EDAF8ADD585 > Uploading samueloph-1698580851.dak-commands to ftp-master Cool! Thanks! > I have just one note about the changelog modification: I see that you > are often updating the changelog in the same commit where you do the > change referred to. > This will cause issues whenever you need to cherry-pick/merge a change > to a different branch, that's the case when dealing with backports > branches, for example. That's definitely a valid point which did not come to my mind. Will honor your input with my future work. Cheers! -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585 signature.asc Description: This is a digitally signed message part
Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function
Hello Sven, > Can you please review my work [1]? If it is sound, would you mind to > grant me DM rights for the package? The changes are all looking good, I appreciate the attention to details and I can see you have put a lot of effort into it. $ dcut dm --uid "Sven Geuer" --allow argon2 Uploading commands file to ftp.upload.debian.org (incoming: /pub/UploadQueue/) Picking DM Sven Geuer with fingerprint 3DF5E8AA43FC9FDFD086F195ADF50EDAF8ADD585 Uploading samueloph-1698580851.dak-commands to ftp-master You should have received an email stating that you have DM rights in a few minutes. I have just one note about the changelog modification: I see that you are often updating the changelog in the same commit where you do the change referred to. This will cause issues whenever you need to cherry-pick/merge a change to a different branch, that's the case when dealing with backports branches, for example. Having changelog modifications together with the actual changes means that every commit you have will cause a conflict whenever you need to cherry-pick/merge, this is opposed to having a single commit updating the changelog at once (gbp dch). It's not a big deal for this package (argon2) since there aren't any backports and you haven't done any stable uploads yet (the conflicts are also troublesome when updating packages on stable), so there's no need to change the history, but I suggest considering separating actual changes from the changelog updates. Cheers, -- Samuel Henrique
Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function
Hello Samuel, On Fri, 2023-10-27 at 01:00 +0100, Samuel Henrique wrote: > From Sven: > > To comply with DEP-14, I just created the branch debian/latest and > > intend to drop the branch debian/sid eventually. > > Can you please set debian/latest to 'default' and 'protected'? I > > don't > > have the rights to do this. > > Awesome, I've done these changes and also gave you Maintainer > permissions to the repo. I pushed my changes to the repo and removed the debian/sid branch. Can you please review my work [1]? If it is sound, would you mind to grant me DM rights for the package? Cheers, Sven [1] https://salsa.debian.org/pkg-security-team/argon2 -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585 signature.asc Description: This is a digitally signed message part
Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function
Hello Samuel and Peter, On Fri, 2023-10-27 at 01:00 +0100, Samuel Henrique wrote: > From Sven: > > To comply with DEP-14, I just created the branch debian/latest and > > intend to drop the branch debian/sid eventually. > > Can you please set debian/latest to 'default' and 'protected'? I don't > > have the rights to do this. > > Awesome, I've done these changes and also gave you Maintainer > permissions to the repo. Thanks a lot! > From Peter: > > as you suspect the Linitian tag is only emitted if the number of > > changelog entries is one. The reason is that it is too late to switch to > > the suggested versioning scheme after the first upload. Once an upload > > with a date-based versioning scheme has been done, an epoch likely needs > > to be introduced in case upstream switches to a conventional versioning > > scheme. Therefore this Lintian hint become pointless after the first > > upload. Still the reasoning to avoid prefix-less date-based versioning > > schemes remains valid. > > Peter is correct, the main thing to have in mind is that having the > package version starting with "0~" is much less painful than dealing > with an epoch, so the lintian is hinting towards the idea that all > calver-versioned packages should be versioned like that (with "0~"). > > For the record, I remember Raphaël once mentioning on this list that > epochs are also troublesome for derivatives, but I don't know the > details on that (and it was a few years ago). > > Still, if you think there's an issue with this versioning (that > overcomes the benefit of it), Sven, feel free to raise your concerns > and we can drop it if it makes sense. My only concern would be to stay as close as possible with upstream and other distributions, Considering your arguments, I will retain the current versioning scheme. Thank you for your thoughts, Peter and Samuel! -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585 signature.asc Description: This is a digitally signed message part
Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function
Hello Peter and Sven, >From Sven: > To comply with DEP-14, I just created the branch debian/latest and > intend to drop the branch debian/sid eventually. > Can you please set debian/latest to 'default' and 'protected'? I don't > have the rights to do this. Awesome, I've done these changes and also gave you Maintainer permissions to the repo. > may I ping you about the my below request? Sorry for the delay and thank you for the ping! >From Peter: > as you suspect the Linitian tag is only emitted if the number of > changelog entries is one. The reason is that it is too late to switch to > the suggested versioning scheme after the first upload. Once an upload > with a date-based versioning scheme has been done, an epoch likely needs > to be introduced in case upstream switches to a conventional versioning > scheme. Therefore this Lintian hint become pointless after the first > upload. Still the reasoning to avoid prefix-less date-based versioning > schemes remains valid. Peter is correct, the main thing to have in mind is that having the package version starting with "0~" is much less painful than dealing with an epoch, so the lintian is hinting towards the idea that all calver-versioned packages should be versioned like that (with "0~"). For the record, I remember Raphaël once mentioning on this list that epochs are also troublesome for derivatives, but I don't know the details on that (and it was a few years ago). Still, if you think there's an issue with this versioning (that overcomes the benefit of it), Sven, feel free to raise your concerns and we can drop it if it makes sense. Cheers, -- Samuel Henrique
Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function
Hi Sven, On 24.10.23 01:13, Sven Geuer wrote: Thanks for pointing this out. However, I am unsure if lintian would still complain in regards to argon2 (and also dnstwist) as the package is not a new one anymore. The explanation in [1] cleary states This package appears to be the first packaging of a new upstream software package (there is only one changelog entry and the Debian revision is 1) and uses a date-based versioning scheme such as MMDD-1. and upstream kept using the MMDD versioning scheme since the beginning in 2015 (they might change their mind, though). as you suspect the Linitian tag is only emitted if the number of changelog entries is one. The reason is that it is too late to switch to the suggested versioning scheme after the first upload. Once an upload with a date-based versioning scheme has been done, an epoch likely needs to be introduced in case upstream switches to a conventional versioning scheme. Therefore this Lintian hint become pointless after the first upload. Still the reasoning to avoid prefix-less date-based versioning schemes remains valid. Best regards, Peter
Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function
Hello Peter, On Mon, 2023-10-23 at 17:26 +, Peter Wienemann wrote: > Dear Sven, > > On 23.10.23 17:19, Sven Geuer wrote: > > I would prefer to remove the 0~ prefix from the package version, > > resulting in an upcoming version of 20190702+dfsg-4 instead of > > 0~20190702+dfsg-4. This would align the version in Debian to other > > distros, see [1] for details. > > > > Are there arguments to not change the versioning in this way? > > > > [1] https://repology.org/project/argon2/versions > > I see the same issue for dnstwist [0]. Still there is a good reason to > keep the present Debian versioning as it is - see the description of the > Lintian tag "new-package-uses-date-based-version-number" [1] for an > explanation. > Thanks for pointing this out. However, I am unsure if lintian would still complain in regards to argon2 (and also dnstwist) as the package is not a new one anymore. The explanation in [1] cleary states This package appears to be the first packaging of a new upstream software package (there is only one changelog entry and the Debian revision is 1) and uses a date-based versioning scheme such as MMDD-1. and upstream kept using the MMDD versioning scheme since the beginning in 2015 (they might change their mind, though). > Best regards, > > Peter > > [0] https://repology.org/project/dnstwist/versions > [1] > https://salsa.debian.org/lintian/lintian/-/blob/d44a4d1a4a053b39ca2acbfa0c67ac4b5e04df59/tags/n/new-package-uses-date-based-version-number.tag > @all: Are there other pros or cons? -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585 signature.asc Description: This is a digitally signed message part
Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function
Dear Sven, On 23.10.23 17:19, Sven Geuer wrote: I would prefer to remove the 0~ prefix from the package version, resulting in an upcoming version of 20190702+dfsg-4 instead of 0~20190702+dfsg-4. This would align the version in Debian to other distros, see [1] for details. Are there arguments to not change the versioning in this way? [1] https://repology.org/project/argon2/versions I see the same issue for dnstwist [0]. Still there is a good reason to keep the present Debian versioning as it is - see the description of the Lintian tag "new-package-uses-date-based-version-number" [1] for an explanation. Best regards, Peter [0] https://repology.org/project/dnstwist/versions [1] https://salsa.debian.org/lintian/lintian/-/blob/d44a4d1a4a053b39ca2acbfa0c67ac4b5e04df59/tags/n/new-package-uses-date-based-version-number.tag
Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function
One more thing... I would prefer to remove the 0~ prefix from the package version, resulting in an upcoming version of 20190702+dfsg-4 instead of 0~20190702+dfsg-4. This would align the version in Debian to other distros, see [1] for details. Are there arguments to not change the versioning in this way? [1] https://repology.org/project/argon2/versions -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585 signature.asc Description: This is a digitally signed message part
Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function
Hi Samuel, may I ping you about the my below request? On Mon, 2023-10-16 at 11:08 +0200, Sven Geuer wrote: > Hello Samuel, > > On Fri, 2023-10-13 at 13:37 +0200, Sven Geuer wrote: > > [...] > > I am fine with the salsa admins moving the package. Here's the > > issue > > I logged: > > https://salsa.debian.org/salsa/support/-/issues/356 > > > > the argon2 repository has been moved to the group. > > To comply with DEP-14, I just created the branch debian/latest and > intend to drop the branch debian/sid eventually. > > Can you please set debian/latest to 'default' and 'protected'? I > don't > have the rights to do this. > > Regards, > Sven > -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585 signature.asc Description: This is a digitally signed message part
Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function
Hello Samuel, On Fri, 2023-10-13 at 13:37 +0200, Sven Geuer wrote: > [...] > I am fine with the salsa admins moving the package. Here's the issue > I logged: > https://salsa.debian.org/salsa/support/-/issues/356 > the argon2 repository has been moved to the group. To comply with DEP-14, I just created the branch debian/latest and intend to drop the branch debian/sid eventually. Can you please set debian/latest to 'default' and 'protected'? I don't have the rights to do this. Regards, Sven -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585 signature.asc Description: This is a digitally signed message part
Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function
Hello Samuel, On Fri, 2023-10-13 at 02:42 +0100, Samuel Henrique wrote: > Hello Sven, > > > > @Samuel: Would you mind to create a repo under the group [3]? > > > > > > [1] https://salsa.debian.org/debian/argon2 > > > [2] https://salsa.debian.org/sven-geuer/argon2 > > > [3] https://salsa.debian.org/pkg-security-team > > > > I believe argon2 under my personal projects [1] is in a ready to be > > uploaded state > > > > Would you review my work, move it to the group's repository and > > grant > > me DM rights? > > Sorry about the delay in replying, and thank you for pinging me > again. > > Since the package is already pushed and set to the debian namespace, > we should follow the process to move it under the team instead of > creating a new one (on salsa, I mean). This way redirects will be > setup for the new location. > > You can do that by opening an issue like this: > https://salsa.debian.org/salsa/support/-/issues/352 > > After it's moved, we can start using the new Vcs field. > > It can take a few days for the salsa admins to perform the move, so > if > you would like to upload the package before that, I don't see an > issue > in changing the maintainer and keeping the Vcs pointing at the debian > namespace (that is, until the move is done). This would allow you to > get upload rights and upload the changes without getting blocked on > salsa admins. > > Let me know what you think. I am fine with the salsa admins moving the package. Here's the issue I logged: https://salsa.debian.org/salsa/support/-/issues/356 Thanks a lot! Sven -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585 signature.asc Description: This is a digitally signed message part
Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function
Hello Sven, > > @Samuel: Would you mind to create a repo under the group [3]? > > > > [1] https://salsa.debian.org/debian/argon2 > > [2] https://salsa.debian.org/sven-geuer/argon2 > > [3] https://salsa.debian.org/pkg-security-team > > I believe argon2 under my personal projects [1] is in a ready to be > uploaded state > > Would you review my work, move it to the group's repository and grant > me DM rights? Sorry about the delay in replying, and thank you for pinging me again. Since the package is already pushed and set to the debian namespace, we should follow the process to move it under the team instead of creating a new one (on salsa, I mean). This way redirects will be setup for the new location. You can do that by opening an issue like this: https://salsa.debian.org/salsa/support/-/issues/352 After it's moved, we can start using the new Vcs field. It can take a few days for the salsa admins to perform the move, so if you would like to upload the package before that, I don't see an issue in changing the maintainer and keeping the Vcs pointing at the debian namespace (that is, until the move is done). This would allow you to get upload rights and upload the changes without getting blocked on salsa admins. Let me know what you think. Thank you! -- Samuel Henrique
Re: Bug#1032462: ITA: argon2 -- memory-hard hashing function
Hello Samuel, hope you are doing well. On Tue, 2023-10-03 at 23:15 +0200, Sven Geuer wrote: > X-Debbugs-CC: Debian QA Group , Samuel > Henrique , Debian Security Tools Packaging Team > , > > I forked the argon2 package from the Debian group [1] to my personal > projects [2] and started to work on it. > > In the end I would like to maintain the package under the umbrella of > the Debian Security Tools Packaging Team. > > @Samuel: Would you mind to create a repo under the group [3]? > > [1] https://salsa.debian.org/debian/argon2 > [2] https://salsa.debian.org/sven-geuer/argon2 > [3] https://salsa.debian.org/pkg-security-team I believe argon2 under my personal projects [1] is in a ready to be uploaded state Would you review my work, move it to the group's repository and grant me DM rights? Regards, Sven [1] https://salsa.debian.org/debian/argon2 -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585 signature.asc Description: This is a digitally signed message part
