[gentoo-dev] Packages up for grabs: dev-lang/typescript, gnome-extra/gnome-shell-extension-pop-shell
Hi, Following package up for grabs: gnome-extra/gnome-shell-extension-pop-shell dev-lang/typescript I no longer uses pop-shell and it's > 1y outdated. typescript is a build dependency and pop-shell is it's only revdep. However, there are plenty of typescript users and package is popular. Yes, it's npm package, but it's unique because it has no external deps. Easy to maintain too, no bugs open, only dependency is nodejs[npm] May use eapi8 bump. As for pop-shell, bump will require packaging 2 extra deps: pop-launcher pop-shortcuts Both are rust, the latter uses justfile instead of makefile. It also uses rustls with ring crate, which is not portable and had no commits since april 2022. So my recommendation is to drop pop-shell or move to guru. And keep typescript in repo, it's popular. Thanks for reading! -- Best regards, Georgy
[gentoo-dev] [PATCH 6/6] glep-0078: Clarify that Manifest must be present for signed binpkg
Signed-off-by: Michał Górny --- glep-0078.rst | 5 + 1 file changed, 5 insertions(+) diff --git a/glep-0078.rst b/glep-0078.rst index ab28aed..733d8d7 100644 --- a/glep-0078.rst +++ b/glep-0078.rst @@ -228,6 +228,11 @@ If the Manifest is present, all files contained in the archive must be listed in it and verify successfully. The package manager should ignore unknown files but preserve them across package updates. +For a binary package to be considered signed and suitable for +authenticity verification, the Manifest file must be present and contain +a valid signature. It is recommended to include detached signatures +for archive members as well. + Permitted .tar format features -- -- 2.37.3
[gentoo-dev] [PATCH 5/6] glep-0078: Clarify that Manifest is signed too
Signed-off-by: Michał Górny --- glep-0078.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/glep-0078.rst b/glep-0078.rst index a109b7f..ab28aed 100644 --- a/glep-0078.rst +++ b/glep-0078.rst @@ -328,7 +328,9 @@ the inner archive contents. This file also provides protection against signature reuse/replacement attacks if the OpenPGP signatures are used. The implementation follows the Manifest specifications in GLEP 74 -[#GLEP74]_ and uses the DATA tag for files within the container. +and uses the ``DATA`` tag for files within the container. +If the package is using OpenPGP signatures, the Manifest file must also +include a cleartext OpenPGP signature as defined in GLEP 74 [#GLEP74]_. The implementation should be able to detect checksum mismatches, as well as missing, duplicate, or extraneous files within -- 2.37.3
[gentoo-dev] [PATCH 4/6] glep-0078: Link OpenPGP to RFC 4880
Signed-off-by: Michał Górny --- glep-0078.rst | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/glep-0078.rst b/glep-0078.rst index 3078061..a109b7f 100644 --- a/glep-0078.rst +++ b/glep-0078.rst @@ -349,9 +349,10 @@ not verify, the package manager must reject processing the corresponding archive member. In particular, it must not attempt decompressing compressed members in those circumstances. -The signatures are created as binary detached OpenPGP signature files, -with filename corresponding to the member filename with ``.sig`` suffix -appended. +The signatures are created as binary detached OpenPGP signature files +as defined by RFC 4880 § 11.4 or a subsequent standard, with filename +corresponding to the member filename with ``.sig`` suffix appended +[#RFC-4880]_. The exact details regarding creating and verifying signatures, as well as maintaining and distributing keys are outside the scope of this @@ -643,6 +644,9 @@ References .. [#GLEP74] GLEP 74: Full-tree verification using Manifest files (https://www.gentoo.org/glep/glep-0074.html) +.. [#RFC4880] RFC 4880: OpenPGP Message Format + (https://www.rfc-editor.org/rfc/rfc4880) + .. [#DEB-FORMAT] deb(5) — Debian binary package format (https://manpages.debian.org/unstable/dpkg-dev/deb.5.en.html) -- 2.37.3
[gentoo-dev] [PATCH 3/6] glep-0078: Link compressed file formats to GLEP 74
Signed-off-by: Michał Górny --- glep-0078.rst | 18 ++ 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/glep-0078.rst b/glep-0078.rst index 4d27ac1..3078061 100644 --- a/glep-0078.rst +++ b/glep-0078.rst @@ -5,7 +5,7 @@ Author: Michał Górny , Sheng Yu Type: Standards Track Status: Accepted -Version: 1 +Version: 1.1 Created: 2018-11-15 Last-Modified: 2022-09-21 Post-History: 2018-11-17, 2019-07-08, 2021-09-13, 2021-09-22, 2022-05-28, @@ -304,15 +304,17 @@ Archive member compression The archive members outlined above support optional compression using one of the compressed file formats supported by the package manager. -The exact list of compression types is outside the scope of this -specification. +The list of compression types is maintained in GLEP 74 [#GLEP74]_. +The package manager may implement an arbitrary subset of compressed file +formats. However, it is recommended that it can uncompress all formats +that are not listed as deprecated. The implementations must support archive members being uncompressed, and must support using different compression types for different files. When compressing an archive member, the member filename should be -suffixed using the standard suffix for the particular compressed file -type (e.g. ``.bz2`` for bzip2 format). +suffixed using the suffix for the particular compressed file type +specified in GLEP 74. The package Manifest file @@ -638,15 +640,15 @@ References .. [#GNU-TAR] GNU tar: an archiver tool, Appendix E Tar Internals (https://www.gnu.org/software/tar/manual/html_node/Tar-Internals.html) +.. [#GLEP74] GLEP 74: Full-tree verification using Manifest files + (https://www.gentoo.org/glep/glep-0074.html) + .. [#DEB-FORMAT] deb(5) — Debian binary package format (https://manpages.debian.org/unstable/dpkg-dev/deb.5.en.html) .. [#TAR-PORTABILITY] Michał Górny, Portability of tar features (https://dev.gentoo.org/~mgorny/articles/portability-of-tar-features.html) -.. [#GLEP74] GLEP 74: Full-tree verification using Manifest files - (https://www.gentoo.org/glep/glep-0074.html) - .. [#XPAK2GPKG] xpak2gpkg: Proof-of-concept converter from tbz2/xpak to gpkg binpkg format (https://github.com/mgorny/xpak2gpkg) -- 2.37.3
[gentoo-dev] [PATCH 2/6] glep-0078: Link tar format to the respective standards
Signed-off-by: Michał Górny --- glep-0078.rst | 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/glep-0078.rst b/glep-0078.rst index 24c5c9d..4d27ac1 100644 --- a/glep-0078.rst +++ b/glep-0078.rst @@ -232,8 +232,10 @@ ignore unknown files but preserve them across package updates. Permitted .tar format features -- -The tar archives should use either the POSIX ustar format or a subset -of the GNU format with the following (optional) extensions: +The tar archives should use either the POSIX ustar format as defined +by POSIX.1-2017 [#POSIX-USTAR]_ or a subset of the ustar-compatible +GNU tar format as described in the GNU tar manual [#GNU-TAR]_ with +the following (optional) extensions: - long pathnames and long linknames, @@ -629,6 +631,13 @@ References written in C (https://packages.gentoo.org/packages/app-portage/portage-utils) +.. [#POSIX-USTAR] The Open Group Base Specifications Issue 7, 2018 + edition, pax - portable archive interchange, ustar Interchange Format + (https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_06) + +.. [#GNU-TAR] GNU tar: an archiver tool, Appendix E Tar Internals + (https://www.gnu.org/software/tar/manual/html_node/Tar-Internals.html) + .. [#DEB-FORMAT] deb(5) — Debian binary package format (https://manpages.debian.org/unstable/dpkg-dev/deb.5.en.html) -- 2.37.3
[gentoo-dev] [PATCH 1/6] glep-0078: Replace "basename" with non-ambiguous explanation
It has been pointed out that the "basename" term may be ambiguous in the context. Explain explicitly that it is the filename with .gpkg.tar suffix stripped. Signed-off-by: Michał Górny --- glep-0078.rst | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/glep-0078.rst b/glep-0078.rst index 05ceba9..24c5c9d 100644 --- a/glep-0078.rst +++ b/glep-0078.rst @@ -7,8 +7,9 @@ Type: Standards Track Status: Accepted Version: 1 Created: 2018-11-15 -Last-Modified: 2022-08-14 -Post-History: 2018-11-17, 2019-07-08, 2021-09-13, 2021-09-22, 2022-05-28 +Last-Modified: 2022-09-21 +Post-History: 2018-11-17, 2019-07-08, 2021-09-13, 2021-09-22, 2022-05-28, + 2022-09-21 Content-Type: text/x-rst --- @@ -193,10 +194,11 @@ The gpkg package container is an uncompressed .tar achive whose filename should use ``.gpkg.tar`` suffix. The archive contains a number of files. All package-related files -should be stored in a single directory whose name matches the basename -of the package file. However, the implementation must be able to -process an archive where the directory name is mismatched. There should -be no explicit archive member entry for the directory. +should be stored in a single directory whose name matches the package +filaname after stripping the ``.gpkg.tar`` suffix. However, +the implementation must be able to process an archive where +the directory name is mismatched. There should be no explicit archive +member entry for the directory. The package directory contains the following members, in order: -- 2.37.3
[gentoo-dev] [PATCH 0/6] glep-0078: Clarifications
Hi, Here's a bunch of patches to GLEP 78 (GPKG format). They're mostly clarifications, that is: - replacing "basename" with more specific explanation - linking formats to the respective standards - deferring compressed file formats to GLEP 74 - clarifying the situation around Manifest signing and verifying binpkg authenticity Please review. Michał Górny (6): glep-0078: Replace "basename" with non-ambiguous explanation glep-0078: Link tar format to the respective standards glep-0078: Link compressed file formats to GLEP 74 glep-0078: Link OpenPGP to RFC 4880 glep-0078: Clarify that Manifest is signed too glep-0078: Clarify that Manifest must be present for signed binpkg glep-0078.rst | 64 +++ 1 file changed, 44 insertions(+), 20 deletions(-) -- 2.37.3