Re: Update to the state of the pkgsrc
Justin C. Sherrill wrote: On Tue, September 29, 2009 2:56 am, Hasso Tepper wrote: - Official (signed?) regular pbulk builds. The current situation really isn't acceptable. I'd never use packages from random source updated randomly (no security updates). Really. This I don't know how to do, and a few seconds of googling don't explain. Can you or someone point me at what having signed packages entails? MD5 sums for all binaries? Maybe I'm not the best person to answer this, since I've never actually done a bulk build. However, I have read a lot about it. You already have the checksums after a bulk build. They are SHA512 sums however (not MD5) and they are located in the SHA512.bz2 file generated with the bulk build. Since generating a signature (not a checksum/normal hash!) for each package would take quiet a while only the SHA512-sums get signed IIRC. The difference between the hashes and the signature is that hashes tell you You can be sure the file hasn't been modified after the hash was generated. The problem is you don't know who actually created the packages and the hashes. If you have a signature it tells you This (hash)file was created/signed with that key. If you can be sure the key is used by someone you can trust the content of this file should be okay.. The process is documented here: http://www.netbsd.org/docs/pkgsrc/bulk.html#bulk-upload About GnuPG/PGP: There are tons of howtos on this topic. It only looks complicated on the first view. I hope this is what you wanted to know :-) Greetings, Christian
Update to the state of the pkgsrc
- I no longer have a hardware to do regular full pbulk builds from pkgsrc HEAD with DragonFly master. - I no longer have much time to care about either. This doesn't mean that I'll will not do anything any more etc, but I don't have resources any more to care about pkgsrc for DragonFly community I did up to now. Also I think that some things need to change to preserve usability of pkgsrc at all for DragonFly users. - Official (signed?) regular pbulk builds. The current situation really isn't acceptable. I'd never use packages from random source updated randomly (no security updates). Really. - Public logs from all pbulk builds. The logs are there for reason. I don't see any in the avalon at the moment. How people should fix anything even if they care? - Using bug tracking systems for pkgsrc bugs. I'd recommend using NetBSD GNATS for bugs which are addressed to the pkgsrc committers à la here is a patch to make package x/y build on DragonFly and bugs.dragonflybsd.org for reports which need to be investigated by DragonFly developers (à la the package x/y doesn't build or work on DragonFly). Once again - it doesn't mean that I quit or smth. I still can take care of committing patches to the pkgsrc (you can kick me by mail if something is stucked in the GNATS), I will continue to maintain my packages and doing some general pkgsrc work. I just don't have a resources to continue the fix as much of pkgsrc as possible work I did up to now. But it also means that things will rotten quite fast in the pkgsrc. To preserve usability of the pkgsrc, the help from community is very much needed. -- Hasso Tepper
Re: Update to the state of the pkgsrc
Hasso Tepper wrote: - Official (signed?) regular pbulk builds. The current situation really isn't acceptable. I'd never use packages from random source updated randomly (no security updates). Really. - Public logs from all pbulk builds. The logs are there for reason. I don't see any in the avalon at the moment. How people should fix anything even if they care? I could not agree more. Possibly even a mail when a new build+upload has finished. Has the build stalled again? I keep seeing these -upload directories since weeks, without any packages actually trickling in. cheers simon -- 3 the future +++ RENT this banner advert +++ ASCII Ribbon /\ rock the past +++ space for low CHF NOW!1 +++ Campaign \ / Party Enjoy Relax | http://dragonflybsd.org Against HTML \ Dude 2c 2 the max ! http://golden-apple.biz Mail + News / \
Re: Update to the state of the pkgsrc
On Tue, September 29, 2009 2:56 am, Hasso Tepper wrote: - Official (signed?) regular pbulk builds. The current situation really isn't acceptable. I'd never use packages from random source updated randomly (no security updates). Really. This I don't know how to do, and a few seconds of googling don't explain. Can you or someone point me at what having signed packages entails? MD5 sums for all binaries? I'm working on the more regular builds thing. My biggest obstacle is time - I can only work on this at the end of the day, so there's 24 hours between trying something and seeing if it worked in the best of circumstances. In worst case, it takes more than a week (a full build). - Public logs from all pbulk builds. The logs are there for reason. I don't see any in the avalon at the moment. How people should fix anything even if they care? I'll work on getting this into (out of?) the automated builds. - Using bug tracking systems for pkgsrc bugs. I'd recommend using NetBSD GNATS for bugs which are addressed to the pkgsrc committers à la here is a patch to make package x/y build on DragonFly and bugs.dragonflybsd.org for reports which need to be investigated by DragonFly developers (à la the package x/y doesn't build or work on DragonFly). I think if we (meaning DragonFly-using people) communicated more to general pkgsrc developers, it would help. I've been watching traffic on the pkgsrc-users lists for a while, and when people describe problems with packages on DragonFly or elsewhere, I see it addressed.