On 17 June 2010 01:34, Allan McRae al...@archlinux.org wrote:
On 17/06/10 00:48, Guillaume ALAUX wrote:
Are the python scripts in the pacbuild package (apple, strawberry,
queuepackage, waka and uploadpackage) used any more as described in this
pagehttp://wiki.archlinux.org/index.php/Pacbuild
On Sun, 13 Jun 2010 12:46:09 +0200
Xavier Chantry chantry.xav...@gmail.com wrote:
It's all there :
http://projects.archlinux.org/users/allan/pacman.git/log/?h=gpg and
there :
http://wiki.archlinux.org/index.php/Package_Signing_Proposal_for_Pacman
Come back to us when everything is
On 16 June 2010 02:23, Allan McRae al...@archlinux.org wrote:
Just to clarify the build process that goes on here:
1) make a clean chroot (mkarchroot - only needs done once)
2) build package in chroot (makechrootpkg)
3) upload package to staging area and commit to svn (e.g. testingpkg)
4)
On Tue, 15 Jun 2010, Denis A. Altoé Falqueto wrote:
The proposed model is based on the web of trust. We would trust on
some keys to sign other keys. The main keys would be kept by some high
trusty developers. They would sign the public keys of the other
developers (and their personal keys too)
On Tue, 15 Jun 2010, Ionuț Bîru wrote:
i found this annoying since, debugging is more harder, i have to download the
resulted package to test it, send it, wait for the pool to come. is a mess :D
even if my system is compromised, we build our packages in clean chroots.
The workflow won't be
Hey, what do you think about this way of verifying packages?
On Tue, 15 Jun 2010, Dimitrios Apostolou wrote:
On another note, an easy but maybe a bit costly way to avoid any MITM
tampering to packages, is serve *.md5 files for every package through a
trusted HTTPS host. Then everyone can query
On Wed, Jun 16, 2010 at 6:08 PM, Dimitrios Apostolou ji...@gmx.net wrote:
Hey, what do you think about this way of verifying packages?
On Tue, 15 Jun 2010, Dimitrios Apostolou wrote:
On another note, an easy but maybe a bit costly way to avoid any MITM
tampering to packages, is serve *.md5
On 17/06/10 00:48, Guillaume ALAUX wrote:
Are the python scripts in the pacbuild package (apple, strawberry,
queuepackage, waka and uploadpackage) used any more as described in this
pagehttp://wiki.archlinux.org/index.php/Pacbuild ? Because some of these
scripts point to the old current
On Wed, 16 Jun 2010, Dan McGee wrote:
On Wed, Jun 16, 2010 at 6:08 PM, Dimitrios Apostolou ji...@gmx.net wrote:
Hey, what do you think about this way of verifying packages?
On Tue, 15 Jun 2010, Dimitrios Apostolou wrote:
On another note, an easy but maybe a bit costly way to avoid any MITM
On Wed, Jun 16, 2010 at 6:35 PM, Dimitrios Apostolou ji...@gmx.net wrote:
On Wed, 16 Jun 2010, Dan McGee wrote:
On Wed, Jun 16, 2010 at 6:08 PM, Dimitrios Apostolou ji...@gmx.net
wrote:
Hey, what do you think about this way of verifying packages?
On Tue, 15 Jun 2010, Dimitrios Apostolou
On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote:
And keep in mind that package signing per se will not solve this kind
of problems. Repository database signing is more important for that
solution, but is a problem in the current workflow of Arch developers.
How exactly is core and extra
On Tue, Jun 15, 2010 at 10:57 AM, Dimitrios Apostolou ji...@gmx.net wrote:
On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote:
And keep in mind that package signing per se will not solve this kind
of problems. Repository database signing is more important for that
solution, but is a problem
How exactly is core and extra database populated?
Moreover, instead of building all packages in the private PCs of
developers
Packages are not build on developers computers but on build machines as
explained here http://wiki.archlinux.org/index.php/Pacbuild
On Tue, Jun 15, 2010 at 8:58 AM, Guillaume ALAUX guilla...@alaux.net wrote:
How exactly is core and extra database populated?
Moreover, instead of building all packages in the private PCs of
developers
Packages are not build on developers computers but on build machines as
explained here
On 15 June 2010 16:46, Dan McGee dpmc...@gmail.com wrote:
On Tue, Jun 15, 2010 at 8:58 AM, Guillaume ALAUX guilla...@alaux.net
wrote:
How exactly is core and extra database populated?
Moreover, instead of building all packages in the private PCs of
developers
Packages are not build on
On 15 June 2010 16:55, Dimitrios Apostolou ji...@gmx.net wrote:
On Tue, 15 Jun 2010, Denis A. Altoé Falqueto wrote:
On Tue, Jun 15, 2010 at 10:57 AM, Dimitrios Apostolou ji...@gmx.net
wrote:
Moreover, instead of building all packages in the private PCs of
developers,
I think it is
On Tue, Jun 15, 2010 at 11:43 AM, Aleksis Jauntēvs
aleksis.jaunt...@gmail.com wrote:
On Tuesday 15 June 2010 19:37:00 Pierre Schmitz wrote:
On Tue, 15 Jun 2010 19:23:14 +0300, Aleksis Jauntēvs
aleksis.jaunt...@gmail.com wrote:
I dont think that repo.db should be signed and it is enough to
Just to clarify the build process that goes on here:
1) make a clean chroot (mkarchroot - only needs done once)
2) build package in chroot (makechrootpkg)
3) upload package to staging area and commit to svn (e.g. testingpkg)
4) release package on master server adding it to repo (e.g. db-testing)
On Sun, Jun 13, 2010 at 7:46 AM, Xavier Chantry
chantry.xav...@gmail.com wrote:
On Sun, Jun 13, 2010 at 11:38 AM, Ananda Samaddar ana...@samaddar.co.uk
wrote:
This is the reason why we need package signing for Pacman. I'm aware
that some progress has been made and it's being worked on. Are
On Sun, 13 Jun 2010 09:58:38 +0200
Thomas Bächler tho...@archlinux.org wrote:
Am 13.06.2010 02:33, schrieb Alexander Duscheleit:
OTOH the original mail was meant more to alert *users* of
unrealircd, the maintainer should actually already have been
noticed via the bug.
In that case, it
On Sun, 13 Jun 2010 19:48:53 +1000
Allan McRae al...@archlinux.org wrote:
This is the reason why we need package signing for Pacman. I'm
aware that some progress has been made and it's being worked on.
Are there any updates?
Yes... because package signing magically fixes all
On Sun, Jun 13, 2010 at 11:38 AM, Ananda Samaddar ana...@samaddar.co.uk wrote:
This is the reason why we need package signing for Pacman. I'm aware
that some progress has been made and it's being worked on. Are there
any updates?
It's all there :
On Sun, 2010-06-13 at 10:48 +0100, Ananda Samaddar wrote:
On Sun, 13 Jun 2010 19:48:53 +1000
Allan McRae al...@archlinux.org wrote:
This is the reason why we need package signing for Pacman. I'm
aware that some progress has been made and it's being worked on.
Are there any
23 matches
Mail list logo