FS#70631 - [kitty] use signed tag

Attached to Project: Community Packages
Opened by T.J. Townsend (blakkheim) - Wednesday, 28 April 2021, 20:26 GMT
Last edited by Maxim Baz (maximbaz) - Thursday, 06 May 2021, 17:46 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Sven-Hendrik Haase (Svenstaro)
Maxim Baz (maximbaz)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Attached diff switches the kitty package to a PGP-signed git tag for authenticity. It also adds a patch to disable the "phoning home" feature for update checks, which is a privacy violation and doesn't make sense on systems with package managers anyway.

Additional info:
https://github.com/kovidgoyal/kitty/pull/3544

EDIT: patch is useless, upstream build option for linux distros disables this since 2019
--eschwartz
   kitty.diff (2 KiB)
This task depends upon

Closed by  Maxim Baz (maximbaz)
Thursday, 06 May 2021, 17:46 GMT
Reason for closing:  Implemented
Additional comments about closing:  - PGP signature added in 0.20.3
- update check was not an issue

Closing, thanks all!
Comment by Eli Schwartz (eschwartz) - Thursday, 29 April 2021, 00:12 GMT
I don't see the point of changing the update notified, which won't bother most people as we update rapidly but may sometimes indicate the need to flag the package out of date.

As for the signature maybe you could ask the maintainer to upload signed tarballs?
Comment by T.J. Townsend (blakkheim) - Thursday, 29 April 2021, 00:16 GMT
This bug still hasn't been properly assigned.

I discussed this with one of the maintainers on IRC. The update mechanism is already disabled in the PKGBUILD, so that part can be ignored. He is asking upstream if signed tarballs could be provided and will switch to the tag if not.
Comment by Eli Schwartz (eschwartz) - Thursday, 29 April 2021, 00:47 GMT
> This bug still hasn't been properly assigned.

That's correct, I am aware. Is there a problem with me asking questions and waiting to see if the reporters change their minds before assigning opinion bugs? Do you have some actual reason to believe that the ticket will not be assigned shortly?

Are you absolutely positively sure that you know every last detail of my real life situation right now, and can guarantee beyond all shadow of a doubt that this isn't a case of me using a communication medium which makes it easier to quickly leave a comment, but harder to actually manipulate the assignment form?

(If so, please stop putting cameras all over my house right now.)
Comment by Eli Schwartz (eschwartz) - Thursday, 29 April 2021, 00:53 GMT
In fact, if I weren't on said inconvenient mechanism, I would definitely have noticed https://git.archlinux.org/svntogit/community.git/commit/trunk?h=packages/kitty&id=56d18e09b3646619fb90537b5017e836fa98304a which was actually me! I set the official option for this, because there is in fact an official upstream option for this rather than mysterious downstream patching.

Turns out the asshole who submitted https://github.com/kovidgoyal/kitty/pull/3544 with outrageously insulting attitude was out of date by *several years* as far as linux packagers are concerned.

EDIT: holy cow, that PR is literally attacking the upstream dev for not merging a patch *to set the default value of the build option*. It's like this person doesn't get that it's a build option for a reason.
Comment by Maxim Baz (maximbaz) - Thursday, 29 April 2021, 08:25 GMT
kitty will upload signatures for the .tar.xz file in the next release: https://github.com/kovidgoyal/kitty/commit/3e00ee4155d83e713e1cf1ecc8e9e3d3aa4a63df

Loading...