FS#70631 - [kitty] use signed tag
Attached to Project:
Community Packages
Opened by T.J. Townsend (blakkheim) - Wednesday, 28 April 2021, 20:26 GMT
Last edited by Maxim Baz (maximbaz) - Thursday, 06 May 2021, 17:46 GMT
Opened by T.J. Townsend (blakkheim) - Wednesday, 28 April 2021, 20:26 GMT
Last edited by Maxim Baz (maximbaz) - Thursday, 06 May 2021, 17:46 GMT
|
Details
Description:
Attached diff switches the kitty package to a PGP-signed git tag for authenticity. It also adds a patch to disable the "phoning home" feature for update checks, which is a privacy violation and doesn't make sense on systems with package managers anyway. Additional info: https://github.com/kovidgoyal/kitty/pull/3544 EDIT: patch is useless, upstream build option for linux distros disables this since 2019 --eschwartz |
This task depends upon
Closed by Maxim Baz (maximbaz)
Thursday, 06 May 2021, 17:46 GMT
Reason for closing: Implemented
Additional comments about closing: - PGP signature added in 0.20.3
- update check was not an issue
Closing, thanks all!
Thursday, 06 May 2021, 17:46 GMT
Reason for closing: Implemented
Additional comments about closing: - PGP signature added in 0.20.3
- update check was not an issue
Closing, thanks all!
kitty.diff
As for the signature maybe you could ask the maintainer to upload signed tarballs?
I discussed this with one of the maintainers on IRC. The update mechanism is already disabled in the PKGBUILD, so that part can be ignored. He is asking upstream if signed tarballs could be provided and will switch to the tag if not.
That's correct, I am aware. Is there a problem with me asking questions and waiting to see if the reporters change their minds before assigning opinion bugs? Do you have some actual reason to believe that the ticket will not be assigned shortly?
Are you absolutely positively sure that you know every last detail of my real life situation right now, and can guarantee beyond all shadow of a doubt that this isn't a case of me using a communication medium which makes it easier to quickly leave a comment, but harder to actually manipulate the assignment form?
(If so, please stop putting cameras all over my house right now.)
Turns out the asshole who submitted https://github.com/kovidgoyal/kitty/pull/3544 with outrageously insulting attitude was out of date by *several years* as far as linux packagers are concerned.
EDIT: holy cow, that PR is literally attacking the upstream dev for not merging a patch *to set the default value of the build option*. It's like this person doesn't get that it's a build option for a reason.