On Mon, Jul 17, 2023 at 11:16 AM Tomaz Canabrava <tcanabr...@kde.org> wrote:
> Hello Carsten, > > > On Mon, 17 Jul 2023 at 11:41 Carsten Haitzler <ras...@archlinux.org> > wrote: > >> On Mon, 17 Jul 2023 10:44:37 +0300 Tomaz Canabrava <tcanabr...@kde.org> >> said: >> >> > On Mon, 17 Jul 2023 at 10:25 Jonathan Steel <jst...@archlinux.org> >> wrote: >> > >> > > On Sun 16 Jul 2023 at 15:37, Tomaz Canabrava wrote: >> > > > I have experience with packaging (debian, for work) but not on >> arch, but >> > > > it’s shell and that thing I can handle :) >> > > >> > > Why not show this by maintaining some air packages? >> > >> > >> > Mostly because there is nothing in aur that I use that lacks a >> maintainer. >> > But I do have a software that is not packaged yet that I can port to >> aur. >> > >> > >> > >> > > > This is not gpg signed and I’m sorry for that, but gian and Antonio >> can >> > > > also vouch for me as the validity of this email. >> > > >> > > Why is it not signed? >> > >> > >> > Because I don’t have a gpg key, and when the dkim features on the email >> > already are enough to validate that the email I send is from me. >> > >> > >> > > >> > > I think you should read >> https://wiki.archlinux.org/title/Trusted_Users and >> > > re-submit a signed application showing the minimum requirements are >> met. >> > >> > >> > I have read the wiki and I have applied to a packager position following >> > the wiki rules or explaining why I didn’t follow a part of it, i won’t >> > re-apply because that’s a waste of everyone’s time just for the sake of >> > ticking boxes. >> > >> > Summary: >> > - [x] known on the opensource community with multiple, and used, >> programs >> > - [x] packaging experience >> > - [ ] aur / arch package experience >> > - [x] contributes directly to upstream >> > - [ ] signed the mail with gpg >> >> Then I would reject your application as you don't plan to re-try with a >> PGP key >> and don't even have one. >> >> A PGP key is used to show that it was YOU and not someone else that >> signed a >> package is a basic requirement of maintaining packages on Arch. That has >> nothing to do with dkim or email. You'll need a PGP key for other things >> and if >> you don't have one, you can't maintain packages. Signing your email with >> a PGP >> key at least shows you have one and can use it for some basic things. As >> you're >> clear you don't have one and have no intention of showing you do by >> re-applying >> with a signed email I can't see how you would be able to maintain >> packages. >> >> In addition, you don't have any packaging experience on Arch. The first >> step >> is AUR. Get your feet wet somewhere that is simpler like AUR. I would >> suggest >> you get some experience there first before you have to deal with >> submitting >> community etc. packages that actually have more layers of work to be done >> over >> and above what AUR needs, so AUR "work" is like learning the first 50% of >> what >> is needed. >> >> I think it'd be great if you did arrange to have a PGP key, showed us you >> have >> one by signing an application after you've done some AUR packaging for a >> bit. >> >> This is what I did - I maintained some AUR packages for a while then >> expanded >> the number I work on and eventually applied to maintain more "core" >> packages >> because I too an am upstream. >> >> I'm not one of these "I must PGP sign everything" people. I'm not that >> security-focused about my utterances by e-mail, but I do see the point of >> it >> for packaging and I jumped through the hoops to deal with it. >> >> I get your feeling of "Why bother - it's just an email", but it's a >> necessary >> component in the packaging pipeline and ecosystem. You're not expected to >> be >> some PGP guru. You're just expected to be able to sign some package to >> say it >> was you that packaged it an that requires you do "jump through some >> hoops" at >> this stage. I hope you'll reconsider. > > > That’s completely understandable. > > Today I’ll create an aur component for Codevis, a software to visualize > large architectures Im developing for the past three years (that just got > opensourced) > Hello, People are just too fast, as I was trying to start creating an AUR package for a software I just released, it's already there, so I don't think there's a need for me to re-create the same thing. https://aur.archlinux.org/packages/codevis-db-git I am not the developer of this package, but I could get co-maintainership of it if the original author wants to share the responsability. I have also created my GPG key and I can sign e-mails, but I'm behind an university proxy from Akademy, and I was not able to send the key to a keyserver. Tomaz > > And I’ll also create a GPG key, and sign some email on this thread with > it. > > Best, > Tomaz > >> >> >> >> -- >> Carsten Haitzler <ras...@archlinux.org> >> >
