e time by projects trying to inflate public impressions
of their size: you're aware that GitHub counts someone as a
"contributor" even if all the do is leave a comment on a bug report,
right? By that gauge, Debian is probably orders of magnitude larger.
--
Jeremy Stanley
signat
On 2024-08-01 22:10:58 +0100 (+0100), Luca Boccassi wrote:
> On Thu, 1 Aug 2024 at 18:23, Jeremy Stanley wrote:
> >
> > On 2024-08-01 12:23:43 +0100 (+0100), Luca Boccassi wrote:
> > [...]
> > > To pick a random example, a less well known, less used, less
> > &
, nothing like the scale
of GitHub, so I wouldn't recommend building large-scale workflows
around our loose-knit community patterns.
--
Jeremy Stanley
signature.asc
Description: PGP signature
urity content[***]. Hope that helps.
[*] https://bugs.debian.org/1069654
[**] https://bugs.debian.org/1009804
[***] https://bugs.debian.org/1074468
--
Jeremy Stanley
signature.asc
Description: PGP signature
urselves back then) to track the entirety of
/etc in RCS. Yes having an auditable change history for your
configuration is useful, but Git didn't invent that. Git has merely
supplanted all prior version control systems, for this use case as
well as others.
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2024-08-26 21:28:38 -0700 (-0700), Otto Kekäläinen wrote:
> On Tue, 2 Apr 2024 at 17:19, Jeremy Stanley wrote:
> > On 2024-04-02 16:44:54 -0700 (-0700), Russ Allbery wrote:
> > [...]
> > > I think a shallow clone of depth 1 is sufficient, although that's not
> &
sometimes like trying to steer a train.
--
Jeremy Stanley
signature.asc
Description: PGP signature
ecking generated files into version control if they can be
recreated from existing contents of version control (not merely the
versioned files but also the accompanying metadata).
--
Jeremy Stanley
signature.asc
Description: PGP signature
On Thu, Oct 12, 2006 at 09:14:19AM +0200, Mario Iseli wrote:
> Ok, this is a good argument.
> I think the oppinion is more or less clear:
>
> Some people think it would be a nice idea, BUT it can be also a problem
> because some people want more than one Ircd on a system.
>
> I only wanted to ask
On Mon, Mar 20, 2006 at 05:39:23PM -0600, Ron Johnson wrote:
> On Mon, 2006-03-20 at 23:15 +, Colin Watson wrote:
> > On Mon, Mar 20, 2006 at 02:51:25PM -0800, Mark Shuttleworh wrote:
> >
> > (In case it wasn't clear, this wasn't Mark Shuttlewor*t*h posting.
> > Please don't feed the troll.)
>
from what
dh_make (0.40) gives right now. The default is...
This package was debianized by Jeremy Stanley <[EMAIL PROTECTED]> on
Sun, 26 Mar 2006 19:12:01 +.
It was downloaded from
Copyright Holder:
License:
...with no dates of copyright and no implication (in th
On Sat, Apr 22, 2006 at 08:02:20PM +0200, gregor herrmann wrote:
> You might (with your upstream hat on) take a look at (python-)pymetar,
> a nice python module that can retrieve METAR data from all around the
> world.
Thanks! I actually looked at it before I started writing my util,
and it looks
On Fri, Jun 30, 2006 at 12:12:10PM +0200, Adam Borowski wrote:
> Oh, so you mean checking the _free_ RAM instead of the _physical_ RAM?
> This would be reasonable -- I didn't use this in the debian/rules
> snippet I proposed as the physical memory is a trivially discernable
> number while free RAM
On Tue, Oct 23, 2007 at 09:15:42AM +0200, Fabian Greffrath wrote:
[...]
> I suggest that, if such a repository will be created for patented
> codecs, that e.g. sponsored uploads will not be allowed to this
> archive. I know that most of you will hate this idea, but I
> believe it is necessary to ke
27;
...in my ~/.bash_aliases file. Works like a charm. But given that I
prefer ratpoison and a screen full of xterms, I'll bow out of the
rest of this thread.
--
Jeremy Stanley
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Tro
e to discard their output in
the name of consistency. *Please* don't replace upstream's release
tarballs just because they have a VCS.
--
Jeremy Stanley
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact list
will do if you want to contribute to the upstream project.
Makes sense. So then why does Debian (and for that matter so many
other distributions outside of the *BSDs) base source packages on
tarballs rather than building binary packages directly out of a VCS?
It seems a contradiction on the one hand to assert that you don't
need tarballs any longer but then on the other hand still rely on
them completely.
--
Jeremy Stanley
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140818204021.gv1...@yuggoth.org
gt; Also, why the forensic investigation wouldn't instead check that the
> generated tarballs are really based on the correct PGP signed tags?
[...]
If there is a release-time build step between the VCS tag and the
tarball, then this can become nontrivial.
--
Jeremy Stanley
--
To UNSUBSCRI
On 2014-08-20 02:32:10 +0800 (+0800), Thomas Goirand wrote:
[...]
> Good! For the moment, it has worked nicely, apart from the fact that
> *some* upstream, like Jeremy Stanley, don't like it. I honestly feel
> sorry about that, especially with people like Jeremy and other OpenStack
eam to avoid confusion around
this is to stop releasing or otherwise emphasizing tarballs,
especially if downstream packagers won't be using them anyway and
will replace them with their own because their tools/workflows are
optimized to do that instead.
--
Jeremy Stanley
--
To UNSUBSCRIBE, e
On 2013-06-05 15:02:35 -0700 (-0700), Russ Allbery wrote:
[...]
> Did I miss anything?
I don't understand at all how you could have missed such a prime
opportunity to rile up the vi vs. emacs debate while you were at
it... or am I showing my age?
--
{ PGP( 48F9961143495829 ); FINGER( fu...@cthulh
On 2013-06-12 02:09:24 +0800 (+0800), Chow Loong Jin wrote:
> On Tue, Jun 11, 2013 at 08:01:58PM +0200, Daniel Pocock wrote:
> >
> > What about replacing SMTP?
>
> With what?
With ESMTP, of course!
--
{ PGP( 48F9961143495829 ); FINGER( fu...@cthulhu.yuggoth.org );
WWW( http://fungi.yuggoth.org/
On 2013-06-11 23:50:01 +0200 (+0200), Daniel Pocock wrote:
> Something that doesn't have these limitations:
>
> http://tools.ietf.org/html/rfc2487#section-7
[...]
That basically just makes the case for relying on (E)SMTP only for
transporting messages, but leveraging OpenPGP or S/MIME to provide
On 2013-06-12 08:08:17 +0200 (+0200), Daniel Pocock wrote:
> On 12/06/13 00:02, Jeremy Stanley wrote:
> > That basically just makes the case for relying on (E)SMTP only for
> > transporting messages, but leveraging OpenPGP or S/MIME to provide
> > authentication and confident
On 2013-08-05 14:13:15 +0100 (+0100), Ian Jackson wrote:
[...]
> The other is the assertion that this particular case involves a
> generated data table. If this is the case then the source package
> needs to contain the source code which generates the table - and,
> really, it should regenerate the
On 2013-08-05 16:41:13 +0100 (+0100), Ian Jackson wrote:
[...]
> There should IMO be a standard way to request a source package to do
> from-scratch rebuilds for this kind of thing, for QA purposes.
I absolutely agree. If there were a standard make target or envvar
for this purpose I would gladly
On 2012-10-17 23:55:08 +0200 (+0200), Philipp Kern wrote:
> am Wed, Oct 17, 2012 at 05:48:39PM -0400 hast du folgendes geschrieben:
> > > With the danger of being sued if you put up the result onto the public
> > > interwebs.
> >
> > Could you please expand on that? Logo / trademark reasons or li
On 2012-12-04 12:42:33 -0800 (-0800), Russ Allbery wrote:
[...]
> The main issue for some of us is not so much the ethical
> objections to these sorts of agreements but rather the fact that
> our employers flatly are not interested in signing anything of the
> sort, ever, with anyone. Much of my fr
On 2012-12-25 22:50:57 +1000 (+1000), Mistikos Nik wrote:
[...]
> Debian use to be really popular. Now only old people use it.
[...]
I suddenly feel very old. What distribution do twelve-year-old
trolls use these days, if not Debian? Have we lost our key
demographic?
--
{ WHOIS( STANL3-ARIN ); WW
On 2012-12-31 10:38:54 -0500 (-0500), Kris Deugau wrote:
> Serious question - is this a real manpage? If so, which package is
> it in?
[...]
It's introduced in Wheezy and available in backports for Squeeze:
http://packages.debian.org/distro-info
http://bugs.debian.org/559761
--
{ WHOIS( STANL3
On 2013-01-10 17:54:28 + (+), Bart Martens wrote:
> I guess you meant : It's conventional (although not entirely
> legally sound) in the free software community to just assume that
> the copyright of any patch submitted without any explicit
> copyright and license statement is transferred (
On 2013-03-08 14:52:48 +0100 (+0100), Thomas Koch wrote:
[...]
> http://openstack-ci.github.com/publications/
[...]
I'm one of the core developers for the team which manages all that
tooling and integration for the OpenStack Project, so I'm happy to
discuss some of the nitty-gritty details, any go
On 2013-03-08 12:44:36 -0800 (-0800), Russ Allbery wrote:
> Thank you very much for working on this! We use Gerrit extensively but so
> far just haven't packaged it because it was too intimidating.
Agreed, if Gerrit gets packaged in Debian/Ubuntu I'll likely push
OpenStack to start using DEBs of
On 2013-03-09 23:33:47 +0800 (+0800), Thomas Goirand wrote:
[...]
> I also need to understand how to secure Jenkins. Because
> by default, it's impressive how much Jenkins is a security
> hole where you can execute any command. I was tempted
> to file a bug report against the package because of it.
On 2013-03-21 02:15:18 +0800 (+0800), Thomas Goirand wrote:
> On 03/20/2013 11:54 PM, Pascal Giard wrote:
> > I would have much preferred to have this disabled by default.
>
> I would have preferred the picture thing to be hosted
> without gravatar support (libravatar is hosted by a DD,
> and you
On 2013-03-21 18:07:26 -0700 (-0700), Russ Allbery wrote:
> I will at least make a plea for ISO dates rather than the specific date
> format in the last two examples.
>
> I think my favorite is the last example, with an ISO date (2023-03-21).
[...]
Another alternative, not represented, is epoch s
On 2013-03-22 21:44:21 +0100 (+0100), Guido Günther wrote:
> Gerrit's Jenkins integration is awesome.
[...]
OpenStack CI has some additional tools which help avoid the need to
interact directly with Jenkins too much. There's Zuul (the
gatekeeper) which watches the Gerrit event stream and triggers
On 2013-03-22 21:08:18 + (+), Jeremy Stanley wrote:
[...]
> watches the Gerrit event stream and triggers jobs in Jenkins as a
> result of matching again patterns defined a YAML configuration
> file
[...]
Yeesh. I clearly shouldn't write E-mail when I'm rushing off to e
On 2013-04-04 16:00:34 +0200 (+0200), Andreas Tille wrote:
[...]
> I can not see how Joey[1] and Daniel[3] would solve these problem when
> they are not interested in upstream tarball releases any more.
It's worth pointing out, packagers should not assume just because an
upstream uses a VCS with p
On 2013-05-09 15:58:02 +0800 (+0800), Thomas Goirand wrote:
> On 05/07/2013 10:34 PM, Paul Wise wrote:
> > On Tue, May 7, 2013 at 10:12 PM, Thomas Goirand wrote:
[...]
> > > Also, the rules in backports is that packages should be
> > > already migrated to testing. The point is, if I had PPAs, I
> >
On 2013-05-09 22:55:33 +0800 (+0800), Thomas Goirand wrote:
[...]
> And I seriously wished it wasn't the case, and that upstream
> understood better what the distribution requirements are.
[...]
Actually, in this case (OpenStack) from what I've seen the upstream
community understands the distribut
On 2014-04-07 12:00:20 +0200 (+0200), Jonas Smedegaard wrote:
> Quoting Gergely Nagy (2014-04-07 11:10:27)
> > Can we have ratpoison + selected things as default DE for Debian Zurg?
> > Please? Pretty please? With sugar on top?
>
> First, create a metapackage, and maintain it.
>
> Then when gett
On 2014-04-27 20:50:38 -0700 (-0700), Russ Allbery wrote:
[...]
> Containers would be a better environment, but you have to make
> them very, very simple to set up.
[...]
An academic librarian friend of mine has been working with the
various departments at his institution to start producing and
ar
Okay, not _mine_ specifically, but
someone's...) Changing the established values in a keymap out from
under users is foolish when the gains are nearly nonexistent and the
workaround is relatively trivial for those who actually want to side
with hobgoblins.
--
Jeremy Stanley
--
To UNSUBSC
-I was paraphrasing Ralph Waldo Emerson's warning against
consistency for consistency's sake--it wasn't meant as a personal
slight in any way whatsoever.
--
Jeremy Stanley
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe".
vernments with control over jurisdictions where the DNS root keys
are managed not to MitM you by fabricating signed resolution chains
down to a TLSA record with the cert they want you to see. It all
depends on which tinfoil hat you find most comfortable.
--
Jeremy Stanley
--
To UNSUBSCRIBE,
e
a fairly strong degree of faith in the automatic archive signing
keys... we'd definitely be following similar measures to cross-sign,
secure and rotate our automatic tarball signing keys.
--
Jeremy Stanley
signature.asc
Description: Digital signature
one of its primary maintainers I don't
think I would be interested in patches which attempt to turn it into
a general client for various sorts of git servers (though I'm open
to being convinced otherwise).
--
Jeremy Stanley
signature.asc
Description: Digital signature
wn and
> packaging it for Debian seems to be difficult.
[...]
As someone who helps maintain a very high-traffic Gerrit server, I
can confirm it's at least as un-fun as any very complex Java-based
server application. And apparently packaging it is even less fun...
https://bugs.debian
use both tools--and also the cut-n-paste
git checkout/cherry-pick commands displayed by the Gerrit WebUI--to
retrieve changes; it mostly boils down to what context I'm in as to
which is more convenient at any particular point in time.
--
Jeremy Stanley
--
To UNSUBSCRIBE, email to debian-
(which in many cases may also mean investing in and
getting involved with assisting the OpenStack community's equivalent
of the DSA to keep the necessary test infrastructure to support
those older releases maintained and viable).
--
Jeremy Stanley
signature.asc
Description: PGP signature
meal package-based software distributions
in general are being abandoned (or at best becoming implementation
details in some image build automation). Pointing fingers at other
distros isn't productive behavior, and certainly isn't a way to keep
ours relevant. It's like fighting over the last slice of cake on a
sinking ship.
--
Jeremy Stanley
signature.asc
Description: PGP signature
m except by
killing much of the flexibility of traditional E-mail in the
process. Throwing out the baby with the bathwater.
--
Jeremy Stanley
signature.asc
Description: PGP signature
ered by this combination?
Compromise of the cryptographic keys or primitives in use,
compromise of the authorized MTAs, compromise of the sender's
SMTP submission account, compromise of the sender's MUA/system, and
biggest of all of course is recipients who don't validate SPF/DKIM.
--
Jer
records rejecting messages from people
using their debian.org addresses in other ways (for example, yours
seems to have been sent through an MTA in GPLHost for relaying to
the lists.d.o MX).
--
Jeremy Stanley
signature.asc
Description: PGP signature
d).
More than a dozen years have passed, and this choice really hasn't
presented a problem whatsoever.
--
Jeremy Stanley
signature.asc
Description: PGP signature
h default locale. As such, using
en_DK.UTF-8 for this is as good a default as any in my opinion.
--
Jeremy Stanley
signature.asc
Description: PGP signature
t; format for such an operation. Other formats (zip, 7z, ...) are more
> suited for them.
Are you talking about source packages or binary packages here? The
latter use ar, not tar.
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2019-05-09 06:27:36 +0900 (+0900), Mike Hommey wrote:
> On Wed, May 08, 2019 at 09:04:49PM +0000, Jeremy Stanley wrote:
[...]
> > Are you talking about source packages or binary packages here? The
> > latter use ar, not tar.
>
> Binary packages use both.
>
> $ a
ise between Debian and Conservancy,
rather than Debian making an informed choice based on advice from
Conservancy (and others). Your apparent disagreement with the result
comes across as though you're implying an adversarial relationship
between Debian and Conservancy which I sincerely hope does not
reflect the feelings of the community as a whole. As Harry Tuttle
once said, "we're all in it together."
--
Jeremy Stanley
signature.asc
Description: PGP signature
[No need to Cc an extra copy, I've been a d-d subscriber since...
the 1990s?]
On 2019-06-08 13:00:02 -0400 (-0400), Sam Hartman wrote:
> Jeremy Stanley writes:
> > Your earlier message also implied the motives behind
> > Conservancy's recommendations to be something o
ty's web of trust (and a number of our community release
managers transitively attest to those public keys as well for added
coverage).
There's probably more I'm forgetting, but that's at least a good
start at mitigating unattended use of unencrypted keys while
maintaining a rob
On 2019-06-10 13:09:52 -0400 (-0400), Kyle Edwards wrote:
> On Mon, 2019-06-10 at 16:56 +0000, Jeremy Stanley wrote:
[...]
> > 6. To allow for easier manual verification of key transitions,
> > always sign new keys with their predecessors when creating them.
>
> We haven&#x
y increasing character.
[...]
And yet you *wouldn't* be confused when Debian 2019.7 is released in
2021?
--
Jeremy Stanley
signature.asc
Description: PGP signature
that note, I just do:
apt-ftparchive release . | gpg2 --clear-sign --output InRelease
Works great. Would simply adding that to the EXAMPLES section of
apt-ftparchive(1) suffice? It's right in line with the existing
example of a compressed Packages.gz file.
--
Jeremy Stanley
signature.asc
De
ke an odd choice for a CI
system, but I've seen far stranger misconfigurations over the years.
--
Jeremy Stanley
signature.asc
Description: PGP signature
if you want to be able to build consistent systems
across disparate providers. Even if they haven't unnecessarily
tampered with official distro images themselves, there's no
guarantee that the Debian images they offer are for the same point
releases/snapshot dates and so on.
--
Jeremy Stanley
signature.asc
Description: PGP signature
's because I've just
not found the time to work out how to configure systemd to serve
them instead (last I checked the packages for these didn't include a
service file), but I've also not felt particularly compelled to as
it's really convenient just to be able to put a line in
/etc/inetd.conf and HUP it.
Systemd having socket activation doesn't automatically make inetd
obsolete.
--
Jeremy Stanley
signature.asc
Description: PGP signature
em. I'm simply glad to see
increasing uptake of automated testing in Debian relying on
free/libre open source software, but have no interest in viewing
choice between these solutions as a competition. When any one free
software solution wins, we all win.
--
Jeremy Stanley
signature.asc
Description: PGP signature
uot;stone age" concept from which Debian
should relieve itself.
[*] https://bugs.debian.org/debbugs-source/mainline/COPYING
[**] https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/LICENSE
--
Jeremy Stanley
signature.asc
Description: PGP signature
ng those projects directly from tagged Git repository states,
that does necessarily imply performing similar steps to generate or
extract this metadata for use in their packages. Others may simply
wish to consume the prepared tarballs where this step has already
been performed for them.
--
Jeremy Stan
one necessarily better than the other? My ISP
can spy on far fewer users than Cloudflare can, so on balance this
seems like a net loss for privacy.
--
Jeremy Stanley
signature.asc
Description: PGP signature
irefox
users. I think it comes down to whether you consider the biggest
privacy risk to come from focused/local attacks (in which case the
new default is a benefit) or from global dragnet trawling by "big
brother" (in which case nearly everyone in the World trusting the
same small numbe
that makes it hard to
> identify activists by having the software installed).
Note that by way of counterargument, Google and its services have
been blocked in mainland China by the Great Firewall for nearly a
decade now, so I question whether there is really such a thing as
"too big to block."
--
Jeremy Stanley
signature.asc
Description: PGP signature
), but I'm not the one running it. Instead I chose to
move on and spend my limited time furthering software freedom in
other venues where it can actually make a difference.
--
Jeremy Stanley
signature.asc
Description: PGP signature
static compilation,
but rather vendor in additional dynamically-linked libs which are
unlikely to be present on the target installations.
--
Jeremy Stanley
signature.asc
Description: PGP signature
way. There's also basic substitutions
support in the reStructuredText specification, which might be useful
to reduce the amount of actual content you need to swap at build
time:
https://docutils.sourceforge.io/docs/ref/rst/restructuredtext.html#substitution-definitions
--
Jeremy Stanley
signature.asc
Description: PGP signature
ripheral for
some reason. I get that I'm probably an exception, but there are
definitely users who simply find automounting behavior annoying,
beyond any potential security concerns.
--
Jeremy Stanley
signature.asc
Description: PGP signature
s with a *.egg-info/ line in d/clean should both
> work. (Personally, I'd use extend-diff-ignore if the egg-info is
> also shipped in the source tarball and d/clean if not)
Similarly, I got one for __pycache__/*.cpython-311.pyc file
overwrites... is that something dh_python should clean
On 2023-08-16 11:45:43 +0800 (+0800), Paul Wise wrote:
> On Sun, 2023-08-13 at 21:18 +0000, Jeremy Stanley wrote:
>
> > Similarly, I got one for __pycache__/*.cpython-311.pyc file
> > overwrites... is that something dh_python should clean?
>
> Probably just send upstrea
omment telling people where to
find our contributor workflow documentation.
--
Jeremy Stanley
signature.asc
Description: PGP signature
mment in GNU HURD sources, should we censor it out?
For that matter, if Debian was going to get into book burning over
racist, homophobic and misogynistic writing, all those packaged
versions of religious texts would presumably be the first things
tossed onto the pyre.
--
Jeremy Stanley
signatur
tually doing the work), is another matter of course. Like a
library choosing not to repurchase a particular damaged book due to
lack of popularity, rather than being pressed to remove it from the
shelves because someone disagrees with what's printed inside even
though they're never going
it seems like all too often it's in pursuit of signing on more
and more donors at the expense of distracting active free/libre open
source software communities from what they would normally focus on
achieving.
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2023-09-08 13:31:43 + (+), Jeremy Stanley wrote:
> On 2023-09-08 12:09:09 +0530 (+0530), Hideki Yamane wrote:
> [...]
> > SPDX is led by the Linux foundation project, OpenChain for license
> > compliance.
> [...]
>
> Unless I'm misreading, OpenChain
right files too, or is it really simply a hard-coded list of
matching patterns?
Regardless, this is great work, thanks for kicking off the
reevaluation!
--
Jeremy Stanley
signature.asc
Description: PGP signature
assert that their more recent addition of HTTPS and strong checksums
mostly serves the purpose of users being able to double-check that
what they downloaded is what PyPI meant to serve them (even if they
can't as easily double-check that what they downloaded is what the
author believes was originally uploaded).
--
Jeremy Stanley
signature.asc
Description: PGP signature
On 2023-11-16 00:20:40 +0100 (+0100), Salvo Tomaselli wrote:
> In data mercoledì 15 novembre 2023 15:58:15 CET, Jeremy Stanley ha scritto:
> > why do you need to put an OpenPGP key on the service
> > you're using to upload Python packages (not Debian packages) to
> > PyP
the "trusted publisher" authentication mechanism (which
only supports GitHub Actions for now), there will likely be more
options in the future that also avoid use of global API tokens.
--
Jeremy Stanley
signature.asc
Description: PGP signature
they have made things more complicated and more
inconvenient, which often ends up pressuring users into finding
less-secure workarounds, defeating the purpose of the additional
measures they enacted.
--
Jeremy Stanley
signature.asc
Description: PGP signature
.d.o/doc (and maybe also wiki.d.o) could be
cool.
--
Jeremy Stanley
signature.asc
Description: PGP signature
quire uninstalling the pipewire audio stack at least.
--
Jeremy Stanley
signature.asc
Description: PGP signature
sing
popularity of the externally-developed cryptography library as a
good reason to strip any remnants of cryptographic modules and
bindings from the stdlib.
--
Jeremy Stanley
signature.asc
Description: PGP signature
For a volunteer-driven community effort, we have to rely on
everyone to exercise their best judgement in these sorts of matters.
--
Jeremy Stanley
signature.asc
Description: PGP signature
claimed secure workflows seems entirely intractable. Sure you could
ask every DD to fill out a questionnaire, but if you don't trust
them to all follow documented practices then why would you trust
them to accurately answer survey questions either?
--
Jeremy Stanley
signature.asc
Description: PGP signature
a proprietary service who discovered a saboteur in their ranks.
--
Jeremy Stanley
signature.asc
Description: PGP signature
but it's merely your opinion that sdists are *not*
"upstream-created source tarballs" (an opinion *not* shared by
everyone).
--
Jeremy Stanley
signature.asc
Description: PGP signature
messages on the current branch
since the most recent tag if its SemVer-based version-guessing kicks
in (typically if the current commit isn't tagged and the version
string hasn't been overridden with an envvar).
--
Jeremy Stanley
signature.asc
Description: PGP signature
onal information into our source archives.
--
Jeremy Stanley
signature.asc
Description: PGP signature
eam maintainers understand that
downstream distributions want to include source code and can't
necessarily include full copies of our Git repositories, so we
create and cryptographically sign source code tarballs with all that
extracted/assembled metadata in the form of "generated" files, and
present those as our primary source distributions.
--
Jeremy Stanley
signature.asc
Description: PGP signature
1 - 100 of 233 matches
Mail list logo
