How can I contribute to make pacman package signing a reality?

rohtie · 2011-03-22 23:08:52

I would really like to contribute, however I do not know what the best approach is.
Any thoughts are welcome.

ataraxia · 2011-03-22 23:31:22

Join pacman-dev mailing list and talk to the pacman devs there. This sort of work isn't done in the forum.

Allan · 2011-03-22 23:38:12

pacman-dev is the place for all development discussions. FYI:

http://projects.archlinux.org/users/all … log/?h=gpg
https://wiki.archlinux.org/index.php/Us … ge_Signing (only the pacman TODOs remain)

ngoonee · 2011-03-22 23:48:07

rohtie wrote:

I would really like to contribute, however I do not know what the best approach is.
Any thoughts are welcome.

It doesn't bode well that you ask such a question here, a simple search (of the forums or the MLs) would have told you that the main (only?) requirement now is actual code/patches.

If you're a coder, then get to work . Otherwise, you can just wait.

fukawi2 · 2011-03-24 01:09:53

ngoonee wrote:

It doesn't bode well that you ask such a question here, a simple search (of the forums or the MLs) would have told you that the main (only?) requirement now is actual code/patches.
If you're a coder, then get to work . Otherwise, you can just wait.

I don't think that's an appropriate response to someone willing to offer their time and effort to assist. Open-source isn't just about coding remember; the OP could assist with testing or documentation updates for example.

ngoonee · 2011-03-24 01:17:05

fukawi2 wrote:

ngoonee wrote:
It doesn't bode well that you ask such a question here, a simple search (of the forums or the MLs) would have told you that the main (only?) requirement now is actual code/patches.
If you're a coder, then get to work . Otherwise, you can just wait.
I don't think that's an appropriate response to someone willing to offer their time and effort to assist. Open-source isn't just about coding remember; the OP could assist with testing or documentation updates for example.

Yes, he could, but only after the code is done. Nothing to test/document before that, after all. There's nothing wrong with not being able to code (I can't, for example), but obviously that limits your usefulness in this specific topic.

ataraxia · 2011-03-24 02:44:01

There is signing code in pacman's git master branch right now - it was added there just today. Sure, there's work to be done in code-land yet, but I wouldn't say there's nothing for a tester or doc writer to do. pacman-key seems ready for some attention, and (if I can figure out why a PGO sig is supposed to be 72 bytes, and mine aren't), I'll be doing some verification testing also.

Allan · 2011-03-24 02:46:46

ataraxia wrote:

if I can figure out why a PGO sig is supposed to be 72 bytes, and mine aren't

Known stuff-up... it only affects "pacman -U pkg" though, so you can still sign packages and put them in the database with repo-add and have them be verified. Verifying the signature of a database has not been merged yet (but reads the signature without assuming it is 72 bytes...).

Edit: note that these are the patches that I have ran for a while on my system with a signed database and signed packages. A basic TODO is here: https://wiki.archlinux.org/index.php/Us … ge_Signing - although most of the makepkg/repo-add/pacman-key stuff has patches waiting to be pulled...

ataraxia · 2011-03-24 02:59:39

Allan wrote:

ataraxia wrote:
if I can figure out why a PGP sig is supposed to be 72 bytes, and mine aren't
Known stuff-up... it only affects "pacman -U pkg" though, so you can still sign packages and put them in the database with repo-add and have them be verified. Verifying the signature of a database has not been merged yet (but reads the signature without assuming it is 72 bytes...).

It also affects "pacman -Qp", which is where I saw it. I'm guessing it's basically any operation that reads a package from disk?

Allan · 2011-03-24 03:09:32

Yes, anything that reads a signature from disk is broken by that. Fixing it is #1 on the pacman section of the TODO list I linked above. The fix is available in the code for reading a signature for a database, in either mine or Dan's gpg branch.

Arch Linux

#1 2011-03-22 23:08:52

How can I contribute to make pacman package signing a reality?

#2 2011-03-22 23:31:22

Re: How can I contribute to make pacman package signing a reality?

#3 2011-03-22 23:38:12

Re: How can I contribute to make pacman package signing a reality?

#4 2011-03-22 23:48:07

Re: How can I contribute to make pacman package signing a reality?

#5 2011-03-24 01:09:53

Re: How can I contribute to make pacman package signing a reality?

#6 2011-03-24 01:17:05

Re: How can I contribute to make pacman package signing a reality?

#7 2011-03-24 02:44:01

Re: How can I contribute to make pacman package signing a reality?

#8 2011-03-24 02:46:46

Re: How can I contribute to make pacman package signing a reality?

#9 2011-03-24 02:59:39

Re: How can I contribute to make pacman package signing a reality?

#10 2011-03-24 03:09:32

Re: How can I contribute to make pacman package signing a reality?

Board footer