[pacman-dev] Finishing off the package signing issue -- Update
Kerrick Staley
mail at kerrickstaley.com
Wed Jun 1 10:28:53 EDT 2011
On Wed, Jun 1, 2011 at 3:07 AM, Allan McRae <allan at archlinux.org> wrote:
>> As I said, we can fix this after shipping the initial signing-related
>> updates. Ship early/ship often, simplicity is far more important than
>> completeness, and all that jazz. I'd argue further, but in the
>> interest of saving your time and mine, let's let Dan decide.
...
>>
>> We won't ship pacman-key out at all until it is working well. In the
>> meantime, end-users can get its functionality if needed by manually
>> invoking gpg.
>
>
> Hmm... we can ship pacman early and often without full functionality but
> not pacman-key. Good thing for consistent policies...
>
> I'd say all the patches needed for pacman-key to be production ready are
> already on the mailing list. And it is actually quite functional as it
> currently is in git. I have been using it to manage my pacman keyring for
> months.
Allan,
The point is that while the features of pacman-key and
user-signature-verification are useful, they are nonessential and
shouldn't delay the launch of the package-signing feature if
incomplete. You seemed to indicate that pacman-key isn't ready for use
("a key management tool call pacman-key is implemented. It still
needs work and there are a bunch of patches on the mailing list for
it. I hope to find time to finalise this in the near future..."), and
I don't see why adding a thin layer of abstraction on top of GnuPG's
functionality is needed, especially since users will not normally have
to manually administer pacman's keyring. It's not a priority for me
personally, and if it's not done when everything else is, then the
signing feature can ship without it.
On Wed, Jun 1, 2011 at 3:09 AM, Allan McRae <allan at archlinux.org> wrote:
> On 30/05/11 19:43, Kerrick Staley wrote:
>>
>> 3) The documentation for developer tools (makepkg, repo-add) should be
>> reviewed and finalized.
>
> I had pretty much declared makepkg and repo-add completely finished,
> including documentation. Did you have anything that actually needed
> adjusted in the current documentation?
No; I just noticed some unfinished areas in the pacman documentation
and added this provision to the TODO list for completeness.
-Kerrick Staley
More information about the pacman-dev
mailing list