Re: [aur-general] TU application - bastelfreak

2020-10-21 Thread Jelle van der Waa 
On 18/10/2020 17:39, Tim Meusel via aur-general wrote:
> Hi!
> 
> I'm Tim Meusel and I want to spent more time in the Arch Linux community
> and increase the package quality. I first got in touch with open source
> some years ago in the Puppet Community [0] where I started to love
> Puppet and FOSS. At the moment I'm employed at a big ISP where I
> maintain a few thousand systems. My solution of choice for configuration
> management is Puppet because it fulfills all requirements and is easy to
> extend. For a few projects I require up2date systems with modern
> software, that's why i choose Arch Linux. Since Puppet was already
> present in the company, the Arch Linux boxes were puppetized as well. I
> wrote or contributed to multiple packages related to Puppet on Arch
> Linux. foxxx0 and shibumi were so kind to continue maintaining them
> in the official repositories:

Yay, I like seeing applications who want to help maintain packages which
are already in our repositories!

Some notes on your AUR packages:

* choria-io
  - 'github.com/choria-io/go-choria/build.BuildDate=$(date '+%F %T %z')'
Recording the build date is non reproducible, will give
reproducibility issues. SOURCE_DATE_EPOCH can be used to make it
reproducible, see https://reproducible-builds.org/docs/source-date-epoch/

  - systemd unit could have some systemd hardening applied, see the wiki
or 'man systemd.exec'

https://wiki.archlinux.org/index.php/Arch_package_guidelines/Security#Systemd_services

* log4r
  - Package lacks a license=(), upstream url is no longer valid it seems?

* tftp-hpa-destruct
  - systemd service could use some hardening
  - how did you obtain the LICENSE file? From their official website?
  It's interesting it's not in the official tarball :)

Greetings,

Jelle



signature.asc
Description: OpenPGP digital signature

Re: [aur-general] TU application - bastelfreak

2020-10-21 Thread Morten Linderud via aur-general 
On Sun, Oct 18, 2020 at 05:39:41PM +0200, Tim Meusel via aur-general wrote:
> Hi!

Yo!
 
> Besides working on open source projects, I spent a huge amount of time
> for my second passion, cooking and doing BBQ. From time to time I also
> attend ice hockey events as visitor but also as hobby-referee or player.

Yes.. I heard some rumors about team members ice skating and ending up with
stitches during this years FOSDEM. This might be more useful information then
you know :D

> As a trusted user I would like to co-maintain those packages, enable
> tests on the PKGBUILDs where tests are currently missing (for example
> ruby-puppet-resource_api, ruby-semantic_puppet and Puppet), fix the
> remaining namcap warnings (for example on facter and libwhereami) and
> also import some other Puppet related tools into the official
> repository. Some of them are already in the AUR (not all maintained by
> myself):
> 
> [snip package list]

How interested would you be to pick up a bit on the Ruby Gem package guidelines
on the wiki, and how are you currently keeping track of package updates?

https://wiki.archlinux.org/index.php/Ruby_Gem_package_guidelines

> I talked to shibumi and hashworks in the past days, both reviewed the
> packages and agreed to sponsor my application.

Generally they look nice and I don't spot any major rewrites as part of the
sponsor reviewing. Which is a good sign I guess!  I don't know ruby very well,
which is why it was *very* fortunate that you uploaded a Go PKGBUILD today :)
Now I have some pointers!

Generally speaking it's fine. I think the `glibc` in `depends` makes no sense
when there are other dependencies present, but it's generally not an issue.

Before `prepare` you have listed up 8 environment variables for the go compiler,
generally they should be inside the given functions as makepkg does magic to the
environment between the different prepare/build/check/package steps. So this is
wrong and should be moved inside build and check.

`prepare` is fine, but `$srcdir` is not really needed. But that is more a
cosmetic thing.

build is fine, but it has a few issues. Where is the build.SHA from? BuildDate
is set to current time, which is not reproducible. Preferably it should adhere
to `SOURCE_DATE_EPOCH` as noted by Reproduible Builds like so:

 -X 'github.com/choria-io/go-choria/build.BuildDate=$(date 
-d@"${SOURCE_DATE_EPOCH}" '+%F %T %z')'

But apart from that both check and package is fine.

> I'm available on Freenode as bastelfreak. I'm pretty active in
> #archlinux.de and #voxpupuli. My GPG key fingerprint is
> C10B6298A584A5632E254DA304D659E6BF1C4CC0

As noted in another email, rsa2048 is bordering on weak these days. It would be
preferable to update the keysize if you do get accepted. Preferably as part of
the application :)

> best regards, Tim

Cheers and good luck!

-- 
Morten Linderud
PGP: 9C02FF419FECBE16


signature.asc
Description: PGP signature