Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#76236 - [deluge] add validpgpkeys

Attached to Project: Arch Linux
Opened by T.J. Townsend (blakkheim) - Tuesday, 18 October 2022, 18:47 GMT
Last edited by Jan Alexander Steffens (heftig) - Thursday, 26 January 2023, 16:29 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Jan Alexander Steffens (heftig)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
The attached diff adds a validpgpkeys line to the deluge package and uses a signed git tag for authenticity.

Additional info:
The same signed tags are available on both Github and dev.delute-torrent.org. The diff uses Github since it seems to be a lot faster and more responsive, but either one works.

https://git.deluge-torrent.org/deluge/tag/?h=deluge-2.1.1
https://github.com/deluge-torrent/deluge/releases/tag/deluge-2.1.1
   deluge.diff (0.6 KiB)
This task depends upon

Closed by  Jan Alexander Steffens (heftig)
Thursday, 26 January 2023, 16:29 GMT
Reason for closing:  Fixed
Additional comments about closing:  deluge 1:2.1.1-3
Comment by T.J. Townsend (blakkheim) - Tuesday, 18 October 2022, 18:51 GMT
Or this version uses the more standardized "giv rev-parse" comment.
   deluge2.diff (0.6 KiB)
Comment by T.J. Townsend (blakkheim) - Sunday, 15 January 2023, 00:59 GMT
Updated diff for 2.1.1-2
   deluge.diff (0.8 KiB)
Comment by Jan Alexander Steffens (heftig) - Sunday, 15 January 2023, 01:18 GMT
I'm not interested in applying this as it breaks the gitpkg script used to manage the _commit variable.

https://gitlab.archlinux.org/archlinux/infrastructure/-/blob/master/roles/archbuild/files/gitpkg
Comment by David Runge (dvzrv) - Sunday, 15 January 2023, 14:27 GMT
@heftig: The conflict with a custom script is not the greatest point to make when it comes to improving a package's source authentication though.
What would be needed to fix this? What are the specific blockers?
Couldn't the script be altered to match this use-case? I think it would be beneficial to support this, if gitpkg (or its functionality) should be (somehow) integrated with devtools in the future.
Comment by Levente Polyak (anthraxx) - Monday, 16 January 2023, 23:30 GMT
In my humble opinion in general we shouldn't reject upstream authentication because custom created tooling breaks, either the priority should be to fix the custom tooling or a different way to maintain the commit hash should be chosen. I'm not aware of why exactly your script has an issue with it, my very naive assumption about what would be needed can't spot a huge issue with an implementation. Can you share your thoughts on how we could get both sides happy?
Comment by T.J. Townsend (blakkheim) - Thursday, 26 January 2023, 16:21 GMT
Ping @heftig: Any thoughts on the above remarks? I also don't think the integrity of an Arch package should be held back because of unofficial tooling. It would be great if we can come to an agreement.

Loading...