Re: [aur-general] TU application: Jonas Witschel (diabonas)
On 9/5/19 5:29 PM, Alad Wenter via aur-general wrote: > On Thu, Sep 05, 2019 at 05:23:20PM +0200, Jonas Witschel wrote: >> Hi all, >> >> my name is Jonas Witschel (online nick "diabonas" on the >> AUR/GitHub/GitLab/...) and I am applying as an Arch Linux Trusted User >> under the sponsorship of Bruno Pagani and Alad Wenter. >> > I hereby confirm my sponsorship of Jonas. Best of luck with your > application! > > Alad Just to add some words beyond "I sponsor this candidate"... My first encounter with diabonas was when he fixed some broken behavior with aurutils [7, 8]. I got no github issue, but instead directly a PR to fix it. :) I also noticed his interest in WKD when he created a detailed table on the wiki [9] for every developer and TU key, with the corresponding bug report. When Bruno mentioned Jonas was interested in becoming TU, I was pleasantly surprised and looked at his various AUR packages. What I found most remarkable was the amount of insight found in these packages, e.g. the comments in tpm2-tss-git [10]. I thus asked to send in a draft of the application, found it good and gave my Stamp of Approval(TM). [7] https://github.com/AladW/aurutils/pull/493 [8] https://github.com/AladW/aurutils/pull/464 [9] https://wiki.archlinux.org/index.php/User:Diabonas/WKD_support_by_developer_key [10] https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=tpm2-tss-git#n45 Alad > >> A few words about myself: I am a math PhD student and long-time Linux >> user. I switched to Arch Linux around 2016 because I like the idea of a >> rolling release distribution that stays close to upstream, which is >> especially beneficial when doing software development. I got more >> actively involved in contributing to Arch when the previous AUR >> maintainer of the tpm2-software stack (tpm2-tss, tpm2-abrmd and >> tpm2-tools) orphaned these packages, so I took over maintenance until >> they were adopted to [community]. >> >> I am interested in many security-related thing such as Secure Boot, >> Trusted Platform Modules (TPMs), disk encryption, PGP, ... As such, I am >> a member of the tpm2-software organisation and a maintainer of tpm2-totp >> [1]. Recently I have been working on getting Web Key Directory support >> into pacman for fetching PGP keys independently of the key server >> network [2,3]. A repository of all my AUR packages can be found on >> Gitlab [4]. >> >> If I were accepted as a trusted user, I would take over maintenance of >> the tpm2-software stack from my sponsor Bruno Pagani. This makes sense >> since I am an upstream member of tpm2-software anyway and had been >> maintaining these packages until they were adopted to [community]. >> Another long-time goal as a trusted user would be getting out of the box >> Secure Boot support for the Arch Linux installation images [5,6]. >> >> Packages I would like to adopt from the AUR to [community] for starters are: >> >> - The rest of the tpm2-software stack: tpm2-tss-engine and tpm2-totp >> (when they have reached the 1% usage from pkgstats/10 votes on the AUR >> threshold), tpm2-pkcs11-git (as soon as it gets a release). >> - clevis and tang (and their dependencies jose, luksmeta) >> - sbupdate-git (I need to speak to upstream about making a release first) >> - paperkey >> - cryptomator >> - deheader >> - texworks >> - pdftk-java (an exact Java reimplementation of the very popular >> pdftk/pdftk-bin, which is hard to package since it relies on an outdated >> version of GCC) >> >> I am looking forward to working with you and welcome any questions and >> comments! >> >> Cheers, >> Jonas >> >> [1] https://github.com/tpm2-software/tpm2-totp >> [2] https://bugs.archlinux.org/task/63171 >> [3] https://lists.archlinux.org/pipermail/pacman-dev/2019-July/023493.html >> [4] https://gitlab.com/diabonas/aur-packages >> [5] https://bugs.archlinux.org/task/53864 >> [6] >> https://lists.archlinux.org/pipermail/arch-releng/2019-January/003891.html >> > > signature.asc Description: OpenPGP digital signature
Re: [aur-general] TU application: Jonas Witschel (diabonas)
Hi there, On 05/09/2019 17:23, Jonas Witschel wrote: > Hi all, > > my name is Jonas Witschel (online nick "diabonas" on the > AUR/GitHub/GitLab/...) and I am applying as an Arch Linux Trusted User > under the sponsorship of Bruno Pagani and Alad Wenter. I hereby confirm my sponsorship of Jonas. :) I have known him since I took over some tpm2 stuff into [community] as required dependencies for fwupd very early this year, and have ever since been amazed by his work. More on that below. ;) > […] > > I am interested in many security-related thing such as Secure Boot, > Trusted Platform Modules (TPMs), disk encryption, PGP, ... As such, I am > a member of the tpm2-software organisation and a maintainer of tpm2-totp > [1]. Recently I have been working on getting Web Key Directory support > into pacman for fetching PGP keys independently of the key server > network [2,3]. A repository of all my AUR packages can be found on > Gitlab [4]. I am really interested in Jonas work on security and TPM in particular, I think there is quite some space to be filled on boot security in our tools and documentation. I think Jonas will be of great expertise in this particular area. > If I were accepted as a trusted user, I would take over maintenance of > the tpm2-software stack from my sponsor Bruno Pagani. This makes sense > since I am an upstream member of tpm2-software anyway and had been > maintaining these packages until they were adopted to [community]. That is the part where I need to disagree. ;) Not on Jonas taking maintainership of those packages again of course (we naturally discussed this beforehand), but on the fact he ever stopped maintaining them. I would just say he stopped committing the changes by himself, but that’s barely all. Everyone is free to see the kind of OOD messages he has been letting me over the past months, as can still be viewed on tpm2-tss[0] that I did not have time to update yet. So as a matter of facts, I consider Jonas has remained the actual maintainer of the tpm2 stack even after I moved some parts of it into [community]. It would hence just be logical for me that he gets the commit rights necessary to pursue this job by himself (also, I could make use of some pkgnumber reduction…). :) > Another long-time goal as a trusted user would be getting out of the box > Secure Boot support for the Arch Linux installation images [5,6]. > > Packages I would like to adopt from the AUR to [community] for starters are: > > - The rest of the tpm2-software stack: tpm2-tss-engine and tpm2-totp > (when they have reached the 1% usage from pkgstats/10 votes on the AUR > threshold), tpm2-pkcs11-git (as soon as it gets a release). > - clevis and tang (and their dependencies jose, luksmeta) > - sbupdate-git (I need to speak to upstream about making a release first) > - paperkey > - cryptomator > - deheader > - texworks > - pdftk-java (an exact Java reimplementation of the very popular > pdftk/pdftk-bin, which is hard to package since it relies on an outdated > version of GCC) I should say that despite what the appearances could look like (e.g. no bunch of commits fixing issues on all packages at roughly the same time), I actually reviewed Jonas packages but only found two or three minor nits. As well, when I moved some of the tpm2 packages into [community], I mostly had just to copy the PKGBUILD verbatim. > I am looking forward to working with you and welcome any questions and > comments! And I definitively look forward to working with you as part of our TU team too! I wish you good luck with your application and hope you’ll convince everyone just as Alad and I were. ;) Regards, Bruno/Archange [0] https://www.archlinux.org/packages/community/x86_64/tpm2-tss/ signature.asc Description: OpenPGP digital signature
Re: [aur-general] TU application: Jonas Witschel (diabonas)
Hi Rob, On 2019-09-05 17:42, Robin Broda via aur-general wrote: > junit-system-rules is fetching a source via http - can this be avoided? > (http://search.maven.org) > It appears to be reachable via https. certainly it can, thanks for spotting this, fixed! I don't really like fetching prebuilt Java archives, although it is allowable by the packaging guidelines, but that doesn't mean I can't at least do it over an authenticated connection ;) > The packages you want to adopt look useful. The 10 votes metric is more of a > general recommendation than a rule, > feel free to pull those in without hitting the metric - especially given that > they are useful in specific security contexts. Good to know! In that case I would probably adopt tpm2-tss-engine and tpm2-totp just to have the complete tpm2-software stack available. > Looking forward to this :) Thank you and Eli for the positive feedback and your PKGBUILD review :) Best regards, Jonas signature.asc Description: OpenPGP digital signature
Re: [aur-general] TU application: Jonas Witschel (diabonas)
On 9/5/19 5:23 PM, Jonas Witschel wrote: > Hi all, > > my name is Jonas Witschel (online nick "diabonas" on the > AUR/GitHub/GitLab/...) and I am applying as an Arch Linux Trusted User > under the sponsorship of Bruno Pagani and Alad Wenter. > Hi! Promising application - I spent a few minutes looking over your AUR PKGBUILDs as is customary for applicants and... I've looked over all your AUR PKGBUILDs and must say that they're almost spotless - good job! This makes this PKGBUILD review rather short. junit-system-rules is fetching a source via http - can this be avoided? (http://search.maven.org) It appears to be reachable via https. That's all I've found so far. The packages you want to adopt look useful. The 10 votes metric is more of a general recommendation than a rule, feel free to pull those in without hitting the metric - especially given that they are useful in specific security contexts. Looking forward to this :) Regards -- Rob (coderobe) O< ascii ribbon campaign - stop html mail - www.asciiribbon.org signature.asc Description: OpenPGP digital signature
Re: [aur-general] TU application: Jonas Witschel (diabonas)
On 9/5/19 11:23 AM, Jonas Witschel wrote: > Hi all, > > my name is Jonas Witschel (online nick "diabonas" on the > AUR/GitHub/GitLab/...) and I am applying as an Arch Linux Trusted User > under the sponsorship of Bruno Pagani and Alad Wenter. > > A few words about myself: I am a math PhD student and long-time Linux > user. I switched to Arch Linux around 2016 because I like the idea of a > rolling release distribution that stays close to upstream, which is > especially beneficial when doing software development. I got more > actively involved in contributing to Arch when the previous AUR > maintainer of the tpm2-software stack (tpm2-tss, tpm2-abrmd and > tpm2-tools) orphaned these packages, so I took over maintenance until > they were adopted to [community]. > > I am interested in many security-related thing such as Secure Boot, > Trusted Platform Modules (TPMs), disk encryption, PGP, ... As such, I am > a member of the tpm2-software organisation and a maintainer of tpm2-totp > [1]. Recently I have been working on getting Web Key Directory support > into pacman for fetching PGP keys independently of the key server > network [2,3]. A repository of all my AUR packages can be found on > Gitlab [4]. I notice you use my aurpublish routine, so this automatically gets a +1 from me. :D Also, your attempts to get WKD into pacman are awesome. I love to see prospective TUs who take an interest in improving the packaging toolchain! <3 > If I were accepted as a trusted user, I would take over maintenance of > the tpm2-software stack from my sponsor Bruno Pagani. This makes sense > since I am an upstream member of tpm2-software anyway and had been > maintaining these packages until they were adopted to [community]. > Another long-time goal as a trusted user would be getting out of the box > Secure Boot support for the Arch Linux installation images [5,6]. > > Packages I would like to adopt from the AUR to [community] for starters are: > > - The rest of the tpm2-software stack: tpm2-tss-engine and tpm2-totp > (when they have reached the 1% usage from pkgstats/10 votes on the AUR > threshold), tpm2-pkcs11-git (as soon as it gets a release). > - clevis and tang (and their dependencies jose, luksmeta) > - sbupdate-git (I need to speak to upstream about making a release first) > - paperkey > - cryptomator > - deheader > - texworks > - pdftk-java (an exact Java reimplementation of the very popular > pdftk/pdftk-bin, which is hard to package since it relies on an outdated > version of GCC) > > I am looking forward to working with you and welcome any questions and > comments! > > Cheers, > Jonas > > [1] https://github.com/tpm2-software/tpm2-totp > [2] https://bugs.archlinux.org/task/63171 > [3] https://lists.archlinux.org/pipermail/pacman-dev/2019-July/023493.html > [4] https://gitlab.com/diabonas/aur-packages > [5] https://bugs.archlinux.org/task/53864 > [6] > https://lists.archlinux.org/pipermail/arch-releng/2019-January/003891.html > -- Eli Schwartz Bug Wrangler and Trusted User signature.asc Description: OpenPGP digital signature
Re: [aur-general] TU application: Jonas Witschel (diabonas)
On Thu, Sep 05, 2019 at 05:23:20PM +0200, Jonas Witschel wrote: > Hi all, > > my name is Jonas Witschel (online nick "diabonas" on the > AUR/GitHub/GitLab/...) and I am applying as an Arch Linux Trusted User > under the sponsorship of Bruno Pagani and Alad Wenter. > I hereby confirm my sponsorship of Jonas. Best of luck with your application! Alad > A few words about myself: I am a math PhD student and long-time Linux > user. I switched to Arch Linux around 2016 because I like the idea of a > rolling release distribution that stays close to upstream, which is > especially beneficial when doing software development. I got more > actively involved in contributing to Arch when the previous AUR > maintainer of the tpm2-software stack (tpm2-tss, tpm2-abrmd and > tpm2-tools) orphaned these packages, so I took over maintenance until > they were adopted to [community]. > > I am interested in many security-related thing such as Secure Boot, > Trusted Platform Modules (TPMs), disk encryption, PGP, ... As such, I am > a member of the tpm2-software organisation and a maintainer of tpm2-totp > [1]. Recently I have been working on getting Web Key Directory support > into pacman for fetching PGP keys independently of the key server > network [2,3]. A repository of all my AUR packages can be found on > Gitlab [4]. > > If I were accepted as a trusted user, I would take over maintenance of > the tpm2-software stack from my sponsor Bruno Pagani. This makes sense > since I am an upstream member of tpm2-software anyway and had been > maintaining these packages until they were adopted to [community]. > Another long-time goal as a trusted user would be getting out of the box > Secure Boot support for the Arch Linux installation images [5,6]. > > Packages I would like to adopt from the AUR to [community] for starters are: > > - The rest of the tpm2-software stack: tpm2-tss-engine and tpm2-totp > (when they have reached the 1% usage from pkgstats/10 votes on the AUR > threshold), tpm2-pkcs11-git (as soon as it gets a release). > - clevis and tang (and their dependencies jose, luksmeta) > - sbupdate-git (I need to speak to upstream about making a release first) > - paperkey > - cryptomator > - deheader > - texworks > - pdftk-java (an exact Java reimplementation of the very popular > pdftk/pdftk-bin, which is hard to package since it relies on an outdated > version of GCC) > > I am looking forward to working with you and welcome any questions and > comments! > > Cheers, > Jonas > > [1] https://github.com/tpm2-software/tpm2-totp > [2] https://bugs.archlinux.org/task/63171 > [3] https://lists.archlinux.org/pipermail/pacman-dev/2019-July/023493.html > [4] https://gitlab.com/diabonas/aur-packages > [5] https://bugs.archlinux.org/task/53864 > [6] > https://lists.archlinux.org/pipermail/arch-releng/2019-January/003891.html > signature.asc Description: PGP signature
[aur-general] TU application: Jonas Witschel (diabonas)
Hi all, my name is Jonas Witschel (online nick "diabonas" on the AUR/GitHub/GitLab/...) and I am applying as an Arch Linux Trusted User under the sponsorship of Bruno Pagani and Alad Wenter. A few words about myself: I am a math PhD student and long-time Linux user. I switched to Arch Linux around 2016 because I like the idea of a rolling release distribution that stays close to upstream, which is especially beneficial when doing software development. I got more actively involved in contributing to Arch when the previous AUR maintainer of the tpm2-software stack (tpm2-tss, tpm2-abrmd and tpm2-tools) orphaned these packages, so I took over maintenance until they were adopted to [community]. I am interested in many security-related thing such as Secure Boot, Trusted Platform Modules (TPMs), disk encryption, PGP, ... As such, I am a member of the tpm2-software organisation and a maintainer of tpm2-totp [1]. Recently I have been working on getting Web Key Directory support into pacman for fetching PGP keys independently of the key server network [2,3]. A repository of all my AUR packages can be found on Gitlab [4]. If I were accepted as a trusted user, I would take over maintenance of the tpm2-software stack from my sponsor Bruno Pagani. This makes sense since I am an upstream member of tpm2-software anyway and had been maintaining these packages until they were adopted to [community]. Another long-time goal as a trusted user would be getting out of the box Secure Boot support for the Arch Linux installation images [5,6]. Packages I would like to adopt from the AUR to [community] for starters are: - The rest of the tpm2-software stack: tpm2-tss-engine and tpm2-totp (when they have reached the 1% usage from pkgstats/10 votes on the AUR threshold), tpm2-pkcs11-git (as soon as it gets a release). - clevis and tang (and their dependencies jose, luksmeta) - sbupdate-git (I need to speak to upstream about making a release first) - paperkey - cryptomator - deheader - texworks - pdftk-java (an exact Java reimplementation of the very popular pdftk/pdftk-bin, which is hard to package since it relies on an outdated version of GCC) I am looking forward to working with you and welcome any questions and comments! Cheers, Jonas [1] https://github.com/tpm2-software/tpm2-totp [2] https://bugs.archlinux.org/task/63171 [3] https://lists.archlinux.org/pipermail/pacman-dev/2019-July/023493.html [4] https://gitlab.com/diabonas/aur-packages [5] https://bugs.archlinux.org/task/53864 [6] https://lists.archlinux.org/pipermail/arch-releng/2019-January/003891.html signature.asc Description: OpenPGP digital signature
Re: [aur-general] TU membership application
On 9/5/19 3:21 PM, Aaron Laws via aur-general wrote: > On Thu, Sep 5, 2019 at 3:45 AM Alexander F Rødseth via aur-general < > aur-general@archlinux.org> wrote: > >>> Sergej already confirmed sponsorship. >> I read his reply twice, but I could not see a confirmation of sponsorship. >> Sergej, could you please clarify? >> > ... > >> Have Sergej confirmed his sponsorship, though? >> > For the record, it looks like Sergej has explicitly stated that he will > sponsor in a signed message: > > On Mon, Aug 19, 2019 at 9:49 AM Sergej Pupykin wrote: > >> Giancarlo Razzolini via aur-general wrote: >>> Having nothing against is not the same as actively sponsoring it. All >>> this discussion is kind of pointless until we hear from both sponsors >>> telling us they actively sponsor Jean's application. Then the discussion >>> period can begin. >> >> Ok, I am not sure about "actively" :) but I want to see parsedmarc >> package bundle in community. As well as ghidra and coturn (which is >> already in community), so I sponsor him. >> > I believe this marks the beginning of the discussion period. Regardless of when the discussion period begins - the TU bylaws are not exactly clear about this - I'm not sure what's left to discuss. Concerns with this application have already been raised, and the applicant's packages have already been reviewed. Alad
Re: [aur-general] TU membership application
On Thu, Sep 5, 2019 at 3:45 AM Alexander F Rødseth via aur-general < aur-general@archlinux.org> wrote: > > Sergej already confirmed sponsorship. > > I read his reply twice, but I could not see a confirmation of sponsorship. > Sergej, could you please clarify? > ... > Have Sergej confirmed his sponsorship, though? > For the record, it looks like Sergej has explicitly stated that he will sponsor in a signed message: On Mon, Aug 19, 2019 at 9:49 AM Sergej Pupykin wrote: > Giancarlo Razzolini via aur-general wrote: > > > > Having nothing against is not the same as actively sponsoring it. All > > this discussion is kind of pointless until we hear from both sponsors > > telling us they actively sponsor Jean's application. Then the discussion > > period can begin. > > > Ok, I am not sure about "actively" :) but I want to see parsedmarc > package bundle in community. As well as ghidra and coturn (which is > already in community), so I sponsor him. > I believe this marks the beginning of the discussion period.
[aur-general] Spam user report: melissareese
Profile: https://aur.archlinux.org/account/melissareese/ Spam message: https://aur.archlinux.org/packages/ash-mailcap-autoview/#comment-706920 -- Stanislav
Re: [aur-general] TU membership application
Hi, Giancarlo wrote: > Well, I think it should be the other way around, you first mentor someone and look with them into their packages and then decided about sponsorship. That's your opinion, and here's mine: I don't think that's important. If a candidate looks promising and there is an intention to both sponsor (confirming by e-mail that the applicant is sponsored when they apply) and an intention to mentor (at least look through the AUR packages and give them helpful hints), I don't think the order matters, as long as everyone is honest with each other and both things happens before the application is sent. That's not what happened in this case, though, since the application was sent before there were any mentoring. > Sergej already confirmed sponsorship. I read his reply twice, but I could not see a confirmation of sponsorship. Sergej, could you please clarify? > But it seems neither of you actually mentored the applicant. It did not happen. I explicitly wrote that I was not aware that he had sent his application without any mentoring on my part. > I don't think that simply foregoing the discussion period is the way to go. If Sergej also confirms his sponsorship, the discussion period can begin. >> If someone dislikes a TU application, it's easy to vote "no" in the vote >> that follows. > >That's not how this should be faced. Ideally all the applications >should have two sponsors that are actively mentoring the applicant and are vested into >their success.If we had that, applications would be voted "yes". This is disregarding that I was first on vacation and then didn't have the time to do any mentoring. I did not know that an application was sent. Please, be more generous in your interpretations. Levente wrote: > Not judging here by any means about the applicant himself, but I consider the current state as void as we frankly did not go through long discussions and bylaw changes to implement two sponsors if at the end it doesn't provide more value than having a bigger number and "having nothing against because someone wants a package in the repo". Have Sergej confirmed his sponsorship, though? -- Sincerely, Alexander F Rødseth / xyproto
