Re: [arch-dev-public] [signoff] ca-certificates 20111025-2
On 30/10/11 03:25, Pierre Schmitz wrote: Hi, the locale problems should have been resolved with this package. The upstream chagnes can be found at: http://packages.qa.debian.org/c/ca-certificates/news/20111022T133218Z.html and http://packages.qa.debian.org/c/ca-certificates/news/20111026T183215Z.html Please sign off, Signoff, Allan
[arch-dev-public] Finalizing the package signing process
Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. Greetings, Pierre -- Pierre Schmitz, http://pierre-schmitz.com
Re: [arch-dev-public] Finalizing the package signing process
Am 30.10.2011 14:12, schrieb Pierre Schmitz: To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. +1 We may give the TU a ew days mroe time as this will be new to them. -1 - they had more than enough time. signature.asc Description: OpenPGP digital signature
Re: [arch-dev-public] Finalizing the package signing process
On Sunday 30 October 2011 14:12:20 Pierre Schmitz wrote: Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. +1 to enforce signed packages. This has been discussed for months and creating a key takes only a few seconds. -t signature.asc Description: This is a digitally signed message part.
Re: [arch-dev-public] Finalizing the package signing process
Il 30/10/2011 14:12, Pierre Schmitz ha scritto: Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. +1 -- Arch Linux Developer http://www.archlinux.org http://www.archlinux.it
Re: [arch-dev-public] Finalizing the package signing process
On Sun, Oct 30, 2011 at 2:31 PM, Giovanni Scafora giova...@archlinux.org wrote: Il 30/10/2011 14:12, Pierre Schmitz ha scritto: Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. +1 -- Arch Linux Developer http://www.archlinux.org http://www.archlinux.it +1 Ronald
Re: [arch-dev-public] Finalizing the package signing process
On Sun, Oct 30, 2011 at 02:12:20PM +0100, Pierre Schmitz wrote: Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. Greetings, Pierre -- Pierre Schmitz, http://pierre-schmitz.com +1.
Re: [arch-dev-public] [signoff] curl 7.22.0-3
On Sun, Oct 30, 2011 at 04:56:45PM +1100, Gaetan Bisson wrote: [2011-10-29 15:19:08 -0400] Dave Reisner: A rebuild of curl 7.22.0 is in [testing]. Its nothing special, just reverting my cert changes from -2. I don't really have the time to invest in figuring out our ca-certificates package at the moment. Shouldn't that new package depend on ca-certificates? G, yes it should.
Re: [arch-dev-public] [signoff] linux-3.1-1
Am 29.10.2011 21:58, schrieb Thomas Bächler: Am 29.10.2011 20:53, schrieb Jan de Groot: http://lists.freedesktop.org/archives/intel-gfx/2011-April/010371.html That's the whole discussion about this one. Seems to have been applied, but reverted because the reasoning behind the patch was unclear. Someone claims it's documented in some errata, but doesn't say which one. That's unfortunate. So far I've been able to find the bug in our tracker, with a link to the kernel.org bugtracker that's down: https://bugs.archlinux.org/task/19234 Oh yeah, the kernel.org bugzilla, still down. We could add it back I guess, but this time with some proper references in the PKGBUILD (like the above two links). Forgot to say this: Jan, can you please re-submit that patch to the appropriate mailing lists, and explain the whole situation? IMO it is a critical error in the upstream driver and must be taken care of upstream. signature.asc Description: OpenPGP digital signature
Re: [arch-dev-public] Finalizing the package signing process
On 30.10.2011 14:12, Pierre Schmitz wrote: If you just agree with all this send a +1. +1 PS: we should get a voting system -- Florian Pritz signature.asc Description: OpenPGP digital signature
Re: [arch-dev-public] Finalizing the package signing process
On 30 October 2011 14:14, Thomas Bächler tho...@archlinux.org wrote: Am 30.10.2011 14:12, schrieb Pierre Schmitz: To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. +1 We may give the TU a ew days mroe time as this will be new to them. -1 - they had more than enough time. I agree with Thomas, +1 about dbscripts. -1 about more time to the TUs. -- Andrea
Re: [arch-dev-public] Finalizing the package signing process
Am 30.10.2011 14:12, schrieb Pierre Schmitz: Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. Greetings, Pierre +1 -- Tobias Powalowski Archlinux Developer Package Maintainer (tpowa) http://www.archlinux.org tp...@archlinux.org signature.asc Description: OpenPGP digital signature
Re: [arch-dev-public] Finalizing the package signing process
On Sun, 30 Oct 2011 14:12:20 +0100 Pierre Schmitz pie...@archlinux.de wrote: Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. Greetings, Pierre I'm building my packages exclusive on pkgbuild.com and there I can't sign packages. If we do the switch in dbscripts then pkgbuild.com should be ready to generate signed packages. As far as I know it isn't possible yet, am I right? Otherwise I would say +1, but for now -1. Daniel
Re: [arch-dev-public] Finalizing the package signing process
Il 30/10/2011 18:56, Daniel Isenmann ha scritto: I'm building my packages exclusive on pkgbuild.com and there I can't sign packages. If we do the switch in dbscripts then pkgbuild.com should be ready to generate signed packages. As far as I know it isn't possible yet, am I right? You can build your packages on pkgbuild.com, then download them locally and sign them with gpg --detach-sign package. After, you have to send .sig files (i686 and x86_64) on pkgbuild, then execute extrapkg or similar command. -- Arch Linux Developer http://www.archlinux.org http://www.archlinux.it
Re: [arch-dev-public] sign packages on alderaan (was: Finalizing the package signing process)
On 30.10.2011 18:56, Daniel Isenmann wrote: I'm building my packages exclusive on pkgbuild.com and there I can't sign packages. If we do the switch in dbscripts then pkgbuild.com should be ready to generate signed packages. As far as I know it isn't possible yet, am I right? So far the only solution is to download the finished package, sign it locally using gpg --detach-sign file and then uploading the signature back to pkgbuild.com so commitpkg will find it. There has been some discussion [1] about remote signing for GPG, but I think they dropped the idea. [1]: http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042068.html -- Florian Pritz signature.asc Description: OpenPGP digital signature
Re: [arch-dev-public] Finalizing the package signing process
On Sun, 30 Oct 2011 19:04:51 +0100 Giovanni Scafora giova...@archlinux.org wrote: Il 30/10/2011 18:56, Daniel Isenmann ha scritto: I'm building my packages exclusive on pkgbuild.com and there I can't sign packages. If we do the switch in dbscripts then pkgbuild.com should be ready to generate signed packages. As far as I know it isn't possible yet, am I right? You can build your packages on pkgbuild.com, then download them locally and sign them with gpg --detach-sign package. After, you have to send .sig files (i686 and x86_64) on pkgbuild, then execute extrapkg or similar command. Downloading them locally isn't really a solution. Too low bandwidth and most of the time I don't build the packages from home. If dbscripts get updated without pkgbuild.com supports signing, then I can't build packages.
Re: [arch-dev-public] Finalizing the package signing process
On Sun, 30 Oct 2011 14:12:20 +0100 Pierre Schmitz pie...@archlinux.de wrote: Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. Greetings, Pierre sure why not.
Re: [arch-dev-public] Finalizing the package signing process
Am 30.10.2011 19:13, schrieb Daniel Isenmann: On Sun, 30 Oct 2011 19:04:51 +0100 Giovanni Scafora giova...@archlinux.org wrote: Il 30/10/2011 18:56, Daniel Isenmann ha scritto: I'm building my packages exclusive on pkgbuild.com and there I can't sign packages. If we do the switch in dbscripts then pkgbuild.com should be ready to generate signed packages. As far as I know it isn't possible yet, am I right? You can build your packages on pkgbuild.com, then download them locally and sign them with gpg --detach-sign package. After, you have to send .sig files (i686 and x86_64) on pkgbuild, then execute extrapkg or similar command. You can also use commitpkg (as in extrapkg, testingpkg etc.) to sign the file if you put the package into your build tree. Downloading them locally isn't really a solution. Too low bandwidth and most of the time I don't build the packages from home. If dbscripts get updated without pkgbuild.com supports signing, then I can't build packages. I am sorry, but I have no solution for this atm. And who knows how long it takes until gpg is able to do key forwarding and remote signing. So I don't feel we should wait for that. And honestly: the build server with that much people having root access is quite a problem anyway. Also if you don't even download (and install) some your own packages, maybe a better solution would be to find someone else to maintain them. Greetings, Pierre -- Pierre Schmitz, http://pierre-schmitz.com
Re: [arch-dev-public] sign packages on alderaan (was: Finalizing the package signing process)
On Sun, 30 Oct 2011 19:06:21 +0100 Florian Pritz bluew...@xinu.at wrote: On 30.10.2011 18:56, Daniel Isenmann wrote: I'm building my packages exclusive on pkgbuild.com and there I can't sign packages. If we do the switch in dbscripts then pkgbuild.com should be ready to generate signed packages. As far as I know it isn't possible yet, am I right? So far the only solution is to download the finished package, sign it locally using gpg --detach-sign file and then uploading the signature back to pkgbuild.com so commitpkg will find it. There has been some discussion [1] about remote signing for GPG, but I think they dropped the idea. [1]: http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042068.html Kerrick Staley last comment [1] on this thread was that they will go with the hash-signing implementation. But it seems that there is nothing new on this topic. [1]: http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042078.html
Re: [arch-dev-public] Finalizing the package signing process
On Sun, Oct 30, 2011 at 9:05 PM, Daniel Isenmann daniel.isenm...@gmx.de wrote: As it seems that there is no real solution here, I will try to do it like Florian and Giovanni said it. Downloading the package, sign it locally and upload the signature to pkguild again. Nevertheless we should find a solution to build signed packages on pkgbuild, otherwise we will loose our buildserver here, because I see this as a workaround and not as a solution. I don't think signing remotely is going to be possible, also I don't see the point of it. We anyway have to download the package in order to test it, so we wouldn't really gain anything. I use a script to download, sign and upload signature, then I test the package locally before pushing it to the repos. Just my two cents. Cheers, Tom
Re: [arch-dev-public] Finalizing the package signing process
On Sun, 30 Oct 2011 21:32:25 +0100 Tom Gundersen t...@jklm.no wrote: On Sun, Oct 30, 2011 at 9:05 PM, Daniel Isenmann daniel.isenm...@gmx.de wrote: As it seems that there is no real solution here, I will try to do it like Florian and Giovanni said it. Downloading the package, sign it locally and upload the signature to pkguild again. Nevertheless we should find a solution to build signed packages on pkgbuild, otherwise we will loose our buildserver here, because I see this as a workaround and not as a solution. I don't think signing remotely is going to be possible, also I don't see the point of it. We anyway have to download the package in order to test it, so we wouldn't really gain anything. Not all packages have to be tested, e.g. a large rebuild against a new library version which you are sure that nothing is broken in your pakage and only needs new linking against the new library. That's only as an example. I use a script to download, sign and upload signature, then I test the package locally before pushing it to the repos. Mind if you can provide the script. Such a helper script would help a lot. Just my two cents. Cheers, Tom
Re: [arch-dev-public] Finalizing the package signing process
On Sun, Oct 30, 2011 at 9:38 PM, Daniel Isenmann daniel.isenm...@gmx.de wrote: I don't think signing remotely is going to be possible, also I don't see the point of it. We anyway have to download the package in order to test it, so we wouldn't really gain anything. Not all packages have to be tested, e.g. a large rebuild against a new library version which you are sure that nothing is broken in your pakage and only needs new linking against the new library. That's only as an example. But surely you will eventually download and install it? That said, I guess there will be cases where it would be useful to not immediately have to download the package (even if I'm struggling to imagine atm). I use a script to download, sign and upload signature, then I test the package locally before pushing it to the repos. Mind if you can provide the script. Such a helper script would help a lot. Sure, it is based on something given to me by another dev on IRC (forgot who). Hopefully they won't sue me for copyright infringement ;-) It will leave the packages in /tmp for you to test, so you might want to remember to delete them afterwards. #!/bin/bash DIR=`mktemp -d /tmp/signpkg.${1}.X` pushd ${DIR} scp pkgbuild.com:svn-packages/$1/trunk/*.pkg.tar.xz . for i in *.pkg.tar.xz; do # gpg --detach-sign --use-agent -u $KEY $i gpg --detach-sign --use-agent $i done scp *.pkg.tar.xz.sig pkgbuild.com:svn-packages/$1/trunk/ popd
Re: [arch-dev-public] Finalizing the package signing process
On Sun, 30 Oct 2011 21:58:35 +0100 Tom Gundersen t...@jklm.no wrote: On Sun, Oct 30, 2011 at 9:38 PM, Daniel Isenmann daniel.isenm...@gmx.de wrote: I don't think signing remotely is going to be possible, also I don't see the point of it. We anyway have to download the package in order to test it, so we wouldn't really gain anything. Not all packages have to be tested, e.g. a large rebuild against a new library version which you are sure that nothing is broken in your pakage and only needs new linking against the new library. That's only as an example. But surely you will eventually download and install it? That said, I guess there will be cases where it would be useful to not immediately have to download the package (even if I'm struggling to imagine atm). Sure. I will do that. But mainly I build the packages not at home and that's my main problem. But I will try the method with your small script, thanks for that. I use a script to download, sign and upload signature, then I test the package locally before pushing it to the repos. Mind if you can provide the script. Such a helper script would help a lot. Sure, it is based on something given to me by another dev on IRC (forgot who). Hopefully they won't sue me for copyright infringement ;-) It will leave the packages in /tmp for you to test, so you might want to remember to delete them afterwards. #!/bin/bash DIR=`mktemp -d /tmp/signpkg.${1}.X` pushd ${DIR} scp pkgbuild.com:svn-packages/$1/trunk/*.pkg.tar.xz . for i in *.pkg.tar.xz; do # gpg --detach-sign --use-agent -u $KEY $i gpg --detach-sign --use-agent $i done scp *.pkg.tar.xz.sig pkgbuild.com:svn-packages/$1/trunk/ popd Thanks for that... Daniel
Re: [arch-dev-public] Finalizing the package signing process
[2011-10-30 14:12:20 +0100] Pierre Schmitz: If you just agree with all this send a +1. I agree with all this. -- Gaetan
Re: [arch-dev-public] Finalizing the package signing process
On 30 October 2011 22:47, Daniel Isenmann daniel.isenm...@gmx.de wrote: On Sun, 30 Oct 2011 21:58:35 +0100 Tom Gundersen t...@jklm.no wrote: On Sun, Oct 30, 2011 at 9:38 PM, Daniel Isenmann daniel.isenm...@gmx.de wrote: I don't think signing remotely is going to be possible, also I don't see the point of it. We anyway have to download the package in order to test it, so we wouldn't really gain anything. Not all packages have to be tested, e.g. a large rebuild against a new library version which you are sure that nothing is broken in your pakage and only needs new linking against the new library. That's only as an example. But surely you will eventually download and install it? That said, I guess there will be cases where it would be useful to not immediately have to download the package (even if I'm struggling to imagine atm). Sure. I will do that. But mainly I build the packages not at home and that's my main problem. But I will try the method with your small script, thanks for that. I use a script to download, sign and upload signature, then I test the package locally before pushing it to the repos. Mind if you can provide the script. Such a helper script would help a lot. Sure, it is based on something given to me by another dev on IRC (forgot who). Hopefully they won't sue me for copyright infringement ;-) It will leave the packages in /tmp for you to test, so you might want to remember to delete them afterwards. #!/bin/bash DIR=`mktemp -d /tmp/signpkg.${1}.X` pushd ${DIR} scp pkgbuild.com:svn-packages/$1/trunk/*.pkg.tar.xz . for i in *.pkg.tar.xz; do # gpg --detach-sign --use-agent -u $KEY $i gpg --detach-sign --use-agent $i done scp *.pkg.tar.xz.sig pkgbuild.com:svn-packages/$1/trunk/ popd Thanks for that... Daniel Just in case it can help, I also made a script [0] that updates the svn tree from alderaan to a local tree and rsync the remote packages to a local folder. I then just need to install, test and if OK I can extrapkg 'blahblahblah' from my local machine. It also works with community packages. (Don't forget the configuration file [1] if you want to test) [0] https://raw.github.com/galaux/scripts/master/duppkgbuild/duppkgbuild [1] https://raw.github.com/galaux/scripts/master/duppkgbuild/duppkgbuild.conf -- Guillaume
Re: [arch-dev-public] sign packages on alderaan
On 31/10/11 06:09, Daniel Isenmann wrote: On Sun, 30 Oct 2011 19:06:21 +0100 Florian Pritzbluew...@xinu.at wrote: On 30.10.2011 18:56, Daniel Isenmann wrote: I'm building my packages exclusive on pkgbuild.com and there I can't sign packages. If we do the switch in dbscripts then pkgbuild.com should be ready to generate signed packages. As far as I know it isn't possible yet, am I right? So far the only solution is to download the finished package, sign it locally using gpg --detach-signfile and then uploading the signature back to pkgbuild.com so commitpkg will find it. There has been some discussion [1] about remote signing for GPG, but I think they dropped the idea. [1]: http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042068.html Kerrick Staley last comment [1] on this thread was that they will go with the hash-signing implementation. But it seems that there is nothing new on this topic. [1]: http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042078.html I'd be much more interested in a patch that actually lets you do remote signing than a discussion that went nowhere... http://lists.gnupg.org/pipermail/gnupg-devel/2011-July/026170.html But then again, that patch went nowhere in the end too as far as I can tell. Allan
[arch-dev-public] SLiM up for adoption
Hi devs, Hi TUs, I am orphaning SLiM (login manager): upstream is dead, patches keep piling up, and I actually stopped using that package a while ago. As far as I know, our current package has only one unfixed bug: https://bugs.archlinux.org/task/26579 Anyhow, I will move that package to the AUR in a week or so unless a dev or a TU wishes to adopt it. Cheers. -- Gaetan
Re: [arch-dev-public] Finalizing the package signing process
On Sun, Oct 30, 2011 at 9:12 AM, Pierre Schmitz pie...@archlinux.de wrote: Hi all, it's about time to finalize our signing policy to get all our packages properly signed as soon as possible. Note that this is just about signing the package itself. How we will manage our keyring and sign that one using master keys is a different story. At first please have a look at https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages and let me know if there is anything wrong or unclear. I would like to present this little Howto to the TU so that community packages can be signed as well. To speed things up I'd like to let dbscripts enforce signed packages. This means that from now on no new packages can be uploaded that don't have a signature. We may give the TU a ew days mroe time as this will be new to them. If you just agree with all this send a +1. +1 Eric Greetings, Pierre -- Pierre Schmitz, http://pierre-schmitz.com
[arch-dev-public] [signoff] crda 1.1.2-1 and wireless-regdb 2011.04.28-1
Upstream updates. Please excuse the late regdb update, it seems I never adopted the package and never got the out-of-date notification. signature.asc Description: OpenPGP digital signature
Re: [arch-dev-public] Finalizing the package signing process
On 31 October 2011 01:56, Daniel Isenmann daniel.isenm...@gmx.de wrote: I'm building my packages exclusive on pkgbuild.com and there I can't sign packages. If we do the switch in dbscripts then pkgbuild.com should be ready to generate signed packages. As far as I know it isn't possible yet, am I right? Otherwise I would say +1, but for now -1. Ditto. I normally only download and test packages that I use and/or are important/popular, other updates are merely minor version bumps, and sometimes I am bandwidth-constrained to download anything more than a few megs. But I hope I'm right that most of my packages are lean, in which case downloading the packages and uploading only the sigs then won't be much of a problem. And anyway, there was a time when there was no pkgbuild.com and I had to build packages locally and on slow networks, so I think I can manage. In general, +1. -- GPG/PGP ID: 8AADBB10