Hello Carsten,
On Mon, 17 Jul 2023 at 11:41 Carsten Haitzler <ras...@archlinux.org> wrote: > On Mon, 17 Jul 2023 10:44:37 +0300 Tomaz Canabrava <tcanabr...@kde.org> > said: > > > On Mon, 17 Jul 2023 at 10:25 Jonathan Steel <jst...@archlinux.org> > wrote: > > > > > On Sun 16 Jul 2023 at 15:37, Tomaz Canabrava wrote: > > > > I have experience with packaging (debian, for work) but not on arch, > but > > > > it’s shell and that thing I can handle :) > > > > > > Why not show this by maintaining some air packages? > > > > > > Mostly because there is nothing in aur that I use that lacks a > maintainer. > > But I do have a software that is not packaged yet that I can port to aur. > > > > > > > > > > This is not gpg signed and I’m sorry for that, but gian and Antonio > can > > > > also vouch for me as the validity of this email. > > > > > > Why is it not signed? > > > > > > Because I don’t have a gpg key, and when the dkim features on the email > > already are enough to validate that the email I send is from me. > > > > > > > > > > I think you should read https://wiki.archlinux.org/title/Trusted_Users > and > > > re-submit a signed application showing the minimum requirements are > met. > > > > > > I have read the wiki and I have applied to a packager position following > > the wiki rules or explaining why I didn’t follow a part of it, i won’t > > re-apply because that’s a waste of everyone’s time just for the sake of > > ticking boxes. > > > > Summary: > > - [x] known on the opensource community with multiple, and used, > programs > > - [x] packaging experience > > - [ ] aur / arch package experience > > - [x] contributes directly to upstream > > - [ ] signed the mail with gpg > > Then I would reject your application as you don't plan to re-try with a > PGP key > and don't even have one. > > A PGP key is used to show that it was YOU and not someone else that signed > a > package is a basic requirement of maintaining packages on Arch. That has > nothing to do with dkim or email. You'll need a PGP key for other things > and if > you don't have one, you can't maintain packages. Signing your email with a > PGP > key at least shows you have one and can use it for some basic things. As > you're > clear you don't have one and have no intention of showing you do by > re-applying > with a signed email I can't see how you would be able to maintain packages. > > In addition, you don't have any packaging experience on Arch. The first > step > is AUR. Get your feet wet somewhere that is simpler like AUR. I would > suggest > you get some experience there first before you have to deal with submitting > community etc. packages that actually have more layers of work to be done > over > and above what AUR needs, so AUR "work" is like learning the first 50% of > what > is needed. > > I think it'd be great if you did arrange to have a PGP key, showed us you > have > one by signing an application after you've done some AUR packaging for a > bit. > > This is what I did - I maintained some AUR packages for a while then > expanded > the number I work on and eventually applied to maintain more "core" > packages > because I too an am upstream. > > I'm not one of these "I must PGP sign everything" people. I'm not that > security-focused about my utterances by e-mail, but I do see the point of > it > for packaging and I jumped through the hoops to deal with it. > > I get your feeling of "Why bother - it's just an email", but it's a > necessary > component in the packaging pipeline and ecosystem. You're not expected to > be > some PGP guru. You're just expected to be able to sign some package to say > it > was you that packaged it an that requires you do "jump through some hoops" > at > this stage. I hope you'll reconsider. That’s completely understandable. Today I’ll create an aur component for Codevis, a software to visualize large architectures Im developing for the past three years (that just got opensourced) And I’ll also create a GPG key, and sign some email on this thread with it. Best, Tomaz > > > > -- > Carsten Haitzler <ras...@archlinux.org> >
