TU Application: Daniel Bermond (dbermond)

classic Classic list List threaded Threaded
27 messages Options
12
Reply | Threaded
Open this post in threaded view
|

TU Application: Daniel Bermond (dbermond)

tur-users mailing list
Hi,

My name is Daniel Bermond and my alias on the AUR and forums is
dbermond[1][3].

Bruno Pagani (alias: ArchangeGabriel) is sponsoring my Trusted User application. I would like to highly thank Bruno for accepting to be my sponsor.

I'm a Brazilian doctor (physician). Yes, my job and profession are not related to the computing world, but since childhood I'm an enthusiast of the computing and software world. I've beeing using Linux since many years ago, and it's difficult to tell when I started, but it has been a long time. By searching in the middle of some old things here I could find some old Ubuntu CD-ROMs of the 7.04 (2007) version from the time they still shipped free disks worldwide, so I can for sure say that I have 11 years of Linux usage at minimum. But my initial Linux usage starts even before this, with some old RedHat distribution that didn't run very well on my poor graphics card, at a time that I cannot tell precisely. For many years I did the famous distro-hopping and have used many major distributions: openSUSE, Fedora, Mandrake/Mandriva (when they still existed), PCLinuxOS, Ubuntu and variants, Mint and probably others.

I have started to use Arch in 2015. At that time I was at Linux Mint and feel the need for something better and different. I found myself in need of more recent software, being disappointed with the Mint/Ubuntu outdated ones. I was also very tired to reinstall the system every one (or two) year(s). When Mint went for shipping LTS-only releases, I decided that a rolling release distribution should be my new place. By already having many years of Linux usage and experience in the background, Arch was everything that I was looking for. Added the fact of being able to fully customize my system by building packages that could be easily integrated in the system with pacman.

After felling confident with Arch itself, I've started to contribute packages to the AUR. I can perfectly remember my first one: ffmpeg-full-git. It was, and still is, a pleasure to maintain it, firstly because I was in need for it, and, secondly, because I was contributing back to the community something that was useful for me. Things evolved quickly, I started to maintain more and more packages that I was also in need for, while adopting other orphaned ones, and currently I'm the maintainer of 170+ packages[2].

Some of the packages that I maintained were already brought into the official repositories:
- ffnvcodec-headers
- intel-gmmlib (formerly named gmmlib on the AUR, adopted by my sponsor Bruno)
- intel-media-driver (adopted by my sponsor Bruno Pagani)
- libraqm
- nccl
- pybind11* (TU Santiago announced me that he will bring it into [community])

Among the years, I've studied C, x86 assembly, Python and shellscript. I'm trying to add C++ to the list, already started it, but still need to find more time to dedicate to it. I've made some contributions to the open source world.
I have a project of my own called screencast[4], which is a command line interface to record a X11 desktop using FFmpeg, having support for offline recording, live streaming and the capability of adding some effects. It's written in pure POSIX/portable shellscript. Besides this, I've made a few commits here and there into the following open source projects: caffe2[5] (now on pytorch github repository), intel gstreamer media SDK[6][7] and intel media sdk[8]. So I also try to contribute back to some upstream projects when my not-so-wide programming skills allow me. I also report bugs to the upstream open source projects for packages which I maintain on the AUR if I encounter some that affects the building process or my direct usage.

I would like to become a Trusted User to be able to contribute to the Arch community as much as I can.

I would like to bring the following packages into [community]:
- advancecomp
- kvazaar
- intel-media-sdk
- libmysofa
- openh264
- shine
- vmaf

I'm also willing to co-maintain my already mentioned old AUR packages. It would be a pleasure.

I think that's all. Thanks to everyone that is reading and analysing my application.

Best regards,
Daniel Bermond

[1] https://aur.archlinux.org/account/dbermond
[2] https://aur.archlinux.org/packages/?SeB=M&K=dbermond
[3] https://github.com/dbermond/
[4] https://github.com/dbermond/screencast/
[5] https://github.com/pytorch/pytorch/commits?author=dbermond
[6] https://github.com/intel/gstreamer-media-SDK/commits?author=dbermond
[7] https://github.com/intel/gstreamer-media-SDK/commits/topic_linux_and_window?author=dbermond
[8] https://github.com/Intel-Media-SDK/MediaSDK/commits?author=dbermond



signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

tur-users mailing list
Hi,

I hereby confirm my sponsorship of Daniel.

Let the (new 14 days format) discussion period begin!

Regards,
Bruno

P.S.: Please excuse the absence of line wrapping in Daniel e-mail,
that’s my fault for having attempted to fix the reverse problem (text
editor + TB line wrapping).

Le 14/10/2018 à 21:49, Daniel Bermond via aur-general a écrit :

> Hi,
>
> My name is Daniel Bermond and my alias on the AUR and forums is
> dbermond[1][3].
>
> Bruno Pagani (alias: ArchangeGabriel) is sponsoring my Trusted User application. I would like to highly thank Bruno for accepting to be my sponsor.
>
> I'm a Brazilian doctor (physician). Yes, my job and profession are not related to the computing world, but since childhood I'm an enthusiast of the computing and software world. I've beeing using Linux since many years ago, and it's difficult to tell when I started, but it has been a long time. By searching in the middle of some old things here I could find some old Ubuntu CD-ROMs of the 7.04 (2007) version from the time they still shipped free disks worldwide, so I can for sure say that I have 11 years of Linux usage at minimum. But my initial Linux usage starts even before this, with some old RedHat distribution that didn't run very well on my poor graphics card, at a time that I cannot tell precisely. For many years I did the famous distro-hopping and have used many major distributions: openSUSE, Fedora, Mandrake/Mandriva (when they still existed), PCLinuxOS, Ubuntu and variants, Mint and probably others.
>
> I have started to use Arch in 2015. At that time I was at Linux Mint and feel the need for something better and different. I found myself in need of more recent software, being disappointed with the Mint/Ubuntu outdated ones. I was also very tired to reinstall the system every one (or two) year(s). When Mint went for shipping LTS-only releases, I decided that a rolling release distribution should be my new place. By already having many years of Linux usage and experience in the background, Arch was everything that I was looking for. Added the fact of being able to fully customize my system by building packages that could be easily integrated in the system with pacman.
>
> After felling confident with Arch itself, I've started to contribute packages to the AUR. I can perfectly remember my first one: ffmpeg-full-git. It was, and still is, a pleasure to maintain it, firstly because I was in need for it, and, secondly, because I was contributing back to the community something that was useful for me. Things evolved quickly, I started to maintain more and more packages that I was also in need for, while adopting other orphaned ones, and currently I'm the maintainer of 170+ packages[2].
>
> Some of the packages that I maintained were already brought into the official repositories:
> - ffnvcodec-headers
> - intel-gmmlib (formerly named gmmlib on the AUR, adopted by my sponsor Bruno)
> - intel-media-driver (adopted by my sponsor Bruno Pagani)
> - libraqm
> - nccl
> - pybind11* (TU Santiago announced me that he will bring it into [community])
>
> Among the years, I've studied C, x86 assembly, Python and shellscript. I'm trying to add C++ to the list, already started it, but still need to find more time to dedicate to it. I've made some contributions to the open source world.
> I have a project of my own called screencast[4], which is a command line interface to record a X11 desktop using FFmpeg, having support for offline recording, live streaming and the capability of adding some effects. It's written in pure POSIX/portable shellscript. Besides this, I've made a few commits here and there into the following open source projects: caffe2[5] (now on pytorch github repository), intel gstreamer media SDK[6][7] and intel media sdk[8]. So I also try to contribute back to some upstream projects when my not-so-wide programming skills allow me. I also report bugs to the upstream open source projects for packages which I maintain on the AUR if I encounter some that affects the building process or my direct usage.
>
> I would like to become a Trusted User to be able to contribute to the Arch community as much as I can.
>
> I would like to bring the following packages into [community]:
> - advancecomp
> - kvazaar
> - intel-media-sdk
> - libmysofa
> - openh264
> - shine
> - vmaf
>
> I'm also willing to co-maintain my already mentioned old AUR packages. It would be a pleasure.
>
> I think that's all. Thanks to everyone that is reading and analysing my application.
>
> Best regards,
> Daniel Bermond
>
> [1] https://aur.archlinux.org/account/dbermond
> [2] https://aur.archlinux.org/packages/?SeB=M&K=dbermond
> [3] https://github.com/dbermond/
> [4] https://github.com/dbermond/screencast/
> [5] https://github.com/pytorch/pytorch/commits?author=dbermond
> [6] https://github.com/intel/gstreamer-media-SDK/commits?author=dbermond
> [7] https://github.com/intel/gstreamer-media-SDK/commits/topic_linux_and_window?author=dbermond
> [8] https://github.com/Intel-Media-SDK/MediaSDK/commits?author=dbermond
>
>


signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

tur-users mailing list
In reply to this post by tur-users mailing list
Decided to take a quick look at your PKGBUILDs, and just a few spot checks
makes me wonder. The first one I click on is apache-flex-sdk, I see that you
aren't the original submitter, so I look at the git log and see that the first
thing you did when taking over this was to remove pgp checks from the source.
WTF. Look at the PKGBUILD, see a totally useless prepare function, ok, not a
big thing. Let's check another one, clicked on flif, see msg2s being used for
no reason and bad conflicts. Click on a couple more, see that those issues
aren't mistakes, they're a fundamental misunderstanding.

Maybe my perception was colored by that really bad decision to remove the pgp
checks, and while the PKGBUILDs are mostly fine, there seems to be things about
packaging that you don't understand yet. Is it time to become a TU already?

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

Baptiste Jonglez
In reply to this post by tur-users mailing list
Hi,

On 14-10-18, Daniel Bermond via aur-general wrote:
> My name is Daniel Bermond and my alias on the AUR and forums is
> dbermond[1][3].
>
> Bruno Pagani (alias: ArchangeGabriel) is sponsoring my Trusted User application. I would like to highly thank Bruno for accepting to be my sponsor.

Welcome here!

I see that you maintain a fair number of useful and popular packages,
thanks for the work it represents.

I had a look at some of your packages (including the ones you mention
below), and they are in pretty good shape.

> I would like to bring the following packages into [community]:
> - advancecomp
> - kvazaar
> - intel-media-sdk
> - libmysofa
> - openh264
> - shine
> - vmaf

Out of curiosity, do you plan to only bring these 7 packages to
[community], or is it just a highlight?  Out of those 7, only 4 are
currently maintained by you (unless I'm being tricked by the new
co-maintainer feature), and they are not the most popular packages you
have.

Baptiste

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

tur-users mailing list
In reply to this post by tur-users mailing list

On 10/14/18 5:03 PM, Doug Newgard via aur-general wrote:

> Decided to take a quick look at your PKGBUILDs, and just a few spot checks
> makes me wonder. The first one I click on is apache-flex-sdk, I see that you
> aren't the original submitter, so I look at the git log and see that the first
> thing you did when taking over this was to remove pgp checks from the source.
> WTF. Look at the PKGBUILD, see a totally useless prepare function, ok, not a
> big thing. Let's check another one, clicked on flif, see msg2s being used for
> no reason and bad conflicts. Click on a couple more, see that those issues
> aren't mistakes, they're a fundamental misunderstanding.
>
> Maybe my perception was colored by that really bad decision to remove the pgp
> checks, and while the PKGBUILDs are mostly fine, there seems to be things about
> packaging that you don't understand yet. Is it time to become a TU already?
I usually don't use pgp on my aur packages because people tend to
complain a lot about building issues. They fail to handle the keys and
start complaining to the packager, and this is a big stress. When
dealing with repository packages this is another story, of course. Since
this was raised as a main issue, I'll be adding the pgp checks back again.

I know that we should not use msg2 because it's makepkg internal. But it
helps to diagnose user problems by helping to identify at which stage a
build error is happening. For sure I can remove it if required to. ;)

Regarding the conflicts situation, now I better understand it. I will
start to fix it my packages as soon as possible! :)

--
Best regards,
Daniel Bermond



signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

Baptiste Jonglez
In reply to this post by tur-users mailing list
Hi,

On 14-10-18, Doug Newgard via aur-general wrote:

> Decided to take a quick look at your PKGBUILDs, and just a few spot checks
> makes me wonder. The first one I click on is apache-flex-sdk, I see that you
> aren't the original submitter, so I look at the git log and see that the first
> thing you did when taking over this was to remove pgp checks from the source.
> WTF. Look at the PKGBUILD, see a totally useless prepare function, ok, not a
> big thing. Let's check another one, clicked on flif, see msg2s being used for
> no reason and bad conflicts. Click on a couple more, see that those issues
> aren't mistakes, they're a fundamental misunderstanding.
>
> Maybe my perception was colored by that really bad decision to remove the pgp
> checks, and while the PKGBUILDs are mostly fine, there seems to be things about
> packaging that you don't understand yet. Is it time to become a TU already?
Well, as always, you could start by not being immediately aggressive
towards people.

Judging from the handful of PKGBUILDs I've read, the quality is really
high overall, they don't even have most of the "classical" small mistakes
(there is source renaming when needed, etc).  We don't require new TUs to
do everything perfectly, and nothing is ever perfect anyway.  There's
always something new to learn.

Regarding the PGP checks, there is no question that they are very useful
and desirable for packages in our repositories.  I am sure that Daniel
will make efforts to add PGP checks wherever possible when he moves
packages to [community].  But for the AUR, the situation is a bit
different (in my opinion) because I know it throws some people off when
they don't know that they have to import a PGP key to build the package.
I tend to include them anyway now, but I would understand that somebody
would like not to.

Anyway, for the specific case of apache-flex-sdk, look at the comments:
the signing key simply seemed to have expired.

Baptiste

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

tur-users mailing list
On Sun, 14 Oct 2018 23:38:54 +0200
Baptiste Jonglez <[hidden email]> wrote:

> Hi,
>
> On 14-10-18, Doug Newgard via aur-general wrote:
> > Decided to take a quick look at your PKGBUILDs, and just a few spot checks
> > makes me wonder. The first one I click on is apache-flex-sdk, I see that you
> > aren't the original submitter, so I look at the git log and see that the first
> > thing you did when taking over this was to remove pgp checks from the source.
> > WTF. Look at the PKGBUILD, see a totally useless prepare function, ok, not a
> > big thing. Let's check another one, clicked on flif, see msg2s being used for
> > no reason and bad conflicts. Click on a couple more, see that those issues
> > aren't mistakes, they're a fundamental misunderstanding.
> >
> > Maybe my perception was colored by that really bad decision to remove the pgp
> > checks, and while the PKGBUILDs are mostly fine, there seems to be things about
> > packaging that you don't understand yet. Is it time to become a TU already?  
>
> Well, as always, you could start by not being immediately aggressive
> towards people.
Please read my email again, it was not aggressive in any way. My response to
your candidate would be aggressive, I'm still deciding if I want to actually
send that.

>
> Judging from the handful of PKGBUILDs I've read, the quality is really
> high overall, they don't even have most of the "classical" small mistakes
> (there is source renaming when needed, etc).  We don't require new TUs to
> do everything perfectly, and nothing is ever perfect anyway.  There's
> always something new to learn.

I'm not talking about expecting perfection, I'm seeing consistent issues that
point to a possible misunderstanding on how packaging is handled. That is a
cause for concern and worth being brought up.

>
> Regarding the PGP checks, there is no question that they are very useful
> and desirable for packages in our repositories.  I am sure that Daniel
> will make efforts to add PGP checks wherever possible when he moves
> packages to [community].  But for the AUR, the situation is a bit
> different (in my opinion) because I know it throws some people off when
> they don't know that they have to import a PGP key to build the package.
> I tend to include them anyway now, but I would understand that somebody
> would like not to.

The situation in the AUR is no different at all. Downgrading PKGBUILDs to
appease users who don't want to learn anything is is a serious problem and is a
cause for grave concerns.

>
> Anyway, for the specific case of apache-flex-sdk, look at the comments:
> the signing key simply seemed to have expired.
>
> Baptiste

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

tur-users mailing list
In reply to this post by tur-users mailing list
On 10/14/18 3:49 PM, Daniel Bermond via aur-general wrote:

> Hi,
>
> My name is Daniel Bermond and my alias on the AUR and forums is
> dbermond[1][3].
>
> Bruno Pagani (alias: ArchangeGabriel) is sponsoring my Trusted User
> application. I would like to highly thank Bruno for accepting to be
> my sponsor.
>
> I'm a Brazilian doctor (physician). Yes, my job and profession are
> not related to the computing world, but since childhood I'm an
> enthusiast of the computing and software world. I've beeing using
> Linux since many years ago, and it's difficult to tell when I
> started, but it has been a long time. By searching in the middle of
> some old things here I could find some old Ubuntu CD-ROMs of the 7.04
> (2007) version from the time they still shipped free disks worldwide,
> so I can for sure say that I have 11 years of Linux usage at minimum.
> But my initial Linux usage starts even before this, with some old
> RedHat distribution that didn't run very well on my poor graphics
> card, at a time that I cannot tell precisely. For many years I did
> the famous distro-hopping and have used many major distributions:
> openSUSE, Fedora, Mandrake/Mandriva (when they still existed),
> PCLinuxOS, Ubuntu and variants, Mint and probably others.
>
> I have started to use Arch in 2015. At that time I was at Linux Mint
> and feel the need for something better and different. I found myself
> in need of more recent software, being disappointed with the
> Mint/Ubuntu outdated ones. I was also very tired to reinstall the
> system every one (or two) year(s). When Mint went for shipping
> LTS-only releases, I decided that a rolling release distribution
> should be my new place. By already having many years of Linux usage
> and experience in the background, Arch was everything that I was
> looking for. Added the fact of being able to fully customize my
> system by building packages that could be easily integrated in the
> system with pacman.
>
> After felling confident with Arch itself, I've started to contribute
> packages to the AUR. I can perfectly remember my first one:
> ffmpeg-full-git. It was, and still is, a pleasure to maintain it,
> firstly because I was in need for it, and, secondly, because I was
> contributing back to the community something that was useful for me.
> Things evolved quickly, I started to maintain more and more packages
> that I was also in need for, while adopting other orphaned ones, and
> currently I'm the maintainer of 170+ packages[2].
$ package-query -As --maintainer dbermond -f %b | sort -u| wc -l
171

*tries to think how he'll manage to review all these*

> Some of the packages that I maintained were already brought into the
> official repositories: - ffnvcodec-headers - intel-gmmlib (formerly
> named gmmlib on the AUR, adopted by my sponsor Bruno) -
> intel-media-driver (adopted by my sponsor Bruno Pagani) - libraqm -
> nccl - pybind11* (TU Santiago announced me that he will bring it into
> [community])
>
> Among the years, I've studied C, x86 assembly, Python and
> shellscript. I'm trying to add C++ to the list, already started it,
> but still need to find more time to dedicate to it. I've made some
> contributions to the open source world. I have a project of my own
> called screencast[4], which is a command line interface to record a
> X11 desktop using FFmpeg, having support for offline recording, live
> streaming and the capability of adding some effects. It's written in
> pure POSIX/portable shellscript.
That's a rather... intimidatingly complex Makefile, by the way. If I
might ask, what is the purpose of splitting apart the source files then
recombining them like this? It is slightly similar to how makepkg is
developed, except we loop through and source a library in
/usr/share/makepkg ...

Carving apart the headers with sed and relying on the *order* they are
combined, seems to be defeating the purpose at any rate.

...

The Makefile specifies various targets using e.g. PREFIX := /usr/local,
surely you meant to use ?= for this? BCOMPDIR should properly be derived
from $(shell pkg-config bash-completion --variable completionsdir)

Your other loops here and there could take advantage of *not* being
loops, like for make clean, just using rm's builtin -v to print the
files being removed.

I also find it rather odd that you take pains to single-quote your
static strings in sh snippets like [ -f '$(NAME)' ] and [ -d
'./test/output' ]
But, you don't quote things that need quoting, like:
install -Dm755  ... '$(DESTDIR)'...

(Because DESTDIR can have spaces depending on the makepkg BUILDDIR,
hence why we always quote "$srcdir" and "$pkgdir", at least until the
Makefile mangles it for us.)

Don't feel bad though, you're nowhere near the only offender at this --
GNU autotools does it too, so most Makefiles in the world have this issue.

You probably should not be opinionated in your Makefile, about gzipping
the manpage. Packaging tools like makepkg already do this (and maybe
make it configurable). I would say it breaks reproducible builds, but
you did add the -n flag so at least that is alright.

> Besides this, I've made a few
> commits here and there into the following open source projects:
> caffe2[5] (now on pytorch github repository), intel gstreamer media
> SDK[6][7] and intel media sdk[8]. So I also try to contribute back to
> some upstream projects when my not-so-wide programming skills allow
> me. I also report bugs to the upstream open source projects for
> packages which I maintain on the AUR if I encounter some that affects
> the building process or my direct usage.
>
> I would like to become a Trusted User to be able to contribute to the
> Arch community as much as I can.
>
> I would like to bring the following packages into [community]: -
> advancecomp
Too late -- I said I would do that back in my TU application:
https://lists.archlinux.org/pipermail/aur-general/2017-December/033719.html

And you've reminded me to do so. :p

> - kvazaar - intel-media-sdk - libmysofa - openh264 - shine - vmaf
>
> I'm also willing to co-maintain my already mentioned old AUR
> packages. It would be a pleasure.
>
> I think that's all. Thanks to everyone that is reading and analysing
> my application.
>
> Best regards, Daniel Bermond

--
Eli Schwartz
Bug Wrangler and Trusted User


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

tur-users mailing list
In reply to this post by tur-users mailing list
Hi Daniel,

On 10/14/18 9:49 PM, Daniel Bermond via aur-general wrote:
> I have a project of my own called screencast[4], which is a command line interface to record a X11 desktop using FFmpeg, having support for offline recording, live streaming and the capability of adding some effects. It's written in pure POSIX/portable shellscript.


Just took some seconds of reading screencast and i noticed the following
that you may want to fix as i didn't spot in a 10sec lookup what would
mitigate the following:

https://github.com/dbermond/screencast/blob/HEAD/src/settings_general.sh#L31

You are using /tmp here, you should replace processing with a safe user
owned directory aquired by `mktemp`.

The reason:

Its vulnerable to symlink attacks, you can delete arbitrary user owned
files via:
https://github.com/dbermond/screencast/blob/HEAD/src/system.sh#L31

Or steal secret data like ssh or gnipg secret keys by moving it outside
of a user-only accessable folder via a `mv` gadget:

https://github.com/dbermond/screencast/blob/HEAD/src/system.sh#L40

cheers,
Levente


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

tur-users mailing list
In reply to this post by tur-users mailing list
On 10/14/18 5:35 PM, Daniel Bermond via aur-general wrote:
> I usually don't use pgp on my aur packages because people tend to
> complain a lot about building issues. They fail to handle the keys and
> start complaining to the packager, and this is a big stress. When
> dealing with repository packages this is another story, of course. Since
> this was raised as a main issue, I'll be adding the pgp checks back again.

It's very simple to handle people who refuse to learn how the AUR works:
refuse to acknowledge anything they say, and simply respond with "learn
how to makepkg".

Removing pgp checks in the general case is not okay, even if "it's just
an AUR package, so no one cares about security because it's all garbage,
right?"

> I know that we should not use msg2 because it's makepkg internal. But it
> helps to diagnose user problems by helping to identify at which stage a
> build error is happening. For sure I can remove it if required to. ;)

I've yet to come across a single justified case of using msg2, anyone
who knows how to read an error message in the first place doesn't need
this help.

There's no rule against it per se, but I regard it as... messy.
Especially in the example Doug indicated, it seems to be wildly
overcomplicating the build and package functions.

--
Eli Schwartz
Bug Wrangler and Trusted User


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

tur-users mailing list
In reply to this post by tur-users mailing list
On 10/14/18 11:35 PM, Daniel Bermond via aur-general wrote:
>
> I usually don't use pgp on my aur packages because people tend to
> complain a lot about building issues. They fail to handle the keys and
> start complaining to the packager, and this is a big stress. When
> dealing with repository packages this is another story, of course. Since
> this was raised as a main issue, I'll be adding the pgp checks back again.
>

So let me summarize what you are saying, correct me if im wrong:

You fully know whats all the gizzle with gpg. Instead of acting like a
trustable user who follows best practice and spreads good advice and
helps teaching people about how all this works properly you prefere to
pull the lazy card because its what? big stress? Serious?
I don't even find words to describe how untrustworthy this is to the
community to prefer to remove GPG signatures instead of educating users?

PS: Did you hear of pinned comments?

WOW I'm speechless at best.


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

Baptiste Jonglez
On 15-10-18, Levente Polyak via aur-general wrote:

> On 10/14/18 11:35 PM, Daniel Bermond via aur-general wrote:
> >
> > I usually don't use pgp on my aur packages because people tend to
> > complain a lot about building issues. They fail to handle the keys and
> > start complaining to the packager, and this is a big stress. When
> > dealing with repository packages this is another story, of course. Since
> > this was raised as a main issue, I'll be adding the pgp checks back again.
> >
>
> So let me summarize what you are saying, correct me if im wrong:
>
> You fully know whats all the gizzle with gpg. Instead of acting like a
> trustable user who follows best practice and spreads good advice and
> helps teaching people about how all this works properly you prefere to
> pull the lazy card because its what? big stress? Serious?
> I don't even find words to describe how untrustworthy this is to the
> community to prefer to remove GPG signatures instead of educating users?
What a warm way to welcome people.  A bit of fact-checking doesn't hurt:

$ pkgver=4.16.1
$ wget "https://www.apache.org/dist/flex/${pkgver}/binaries/apache-flex-sdk-${pkgver}-bin.tar.gz"{,.asc}
$ gpg --verify apache-flex-sdk-4.16.1-bin.tar.gz.asc
gpg: assuming signed data in 'apache-flex-sdk-4.16.1-bin.tar.gz'
gpg: Signature made mer. 15 nov. 2017 09:44:37 CET
gpg:                using RSA key 44998F3E242727E94C4BADEB6B0A7EC905061FC8
gpg: Can't check signature: No public key

$ gpg --search-keys 44998F3E242727E94C4BADEB6B0A7EC905061FC8
gpg: data source: http://192.146.137.99:11371
(1)  Piotr Zarzycki (CODE SIGNING KEY) <[hidden email]>
       4096 bit RSA key 6B0A7EC905061FC8, created: 2017-06-17 (revoked)
Keys 1-1 of 1 for "44998F3E242727E94C4BADEB6B0A7EC905061FC8".  Enter number(s), N)ext, or Q)uit >


Baptiste

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

tur-users mailing list
On 10/15/18 12:27 AM, Baptiste Jonglez wrote:

> On 15-10-18, Levente Polyak via aur-general wrote:
>> On 10/14/18 11:35 PM, Daniel Bermond via aur-general wrote:
>>>
>>> I usually don't use pgp on my aur packages because people tend to
>>> complain a lot about building issues. They fail to handle the keys and
>>> start complaining to the packager, and this is a big stress. When
>>> dealing with repository packages this is another story, of course. Since
>>> this was raised as a main issue, I'll be adding the pgp checks back again.
>>>
>>
>> So let me summarize what you are saying, correct me if im wrong:
>>
>> You fully know whats all the gizzle with gpg. Instead of acting like a
>> trustable user who follows best practice and spreads good advice and
>> helps teaching people about how all this works properly you prefere to
>> pull the lazy card because its what? big stress? Serious?
>> I don't even find words to describe how untrustworthy this is to the
>> community to prefer to remove GPG signatures instead of educating users?
>
> What a warm way to welcome people.  A bit of fact-checking doesn't hurt:
>
> $ pkgver=4.16.1
> $ wget "https://www.apache.org/dist/flex/${pkgver}/binaries/apache-flex-sdk-${pkgver}-bin.tar.gz"{,.asc}
> $ gpg --verify apache-flex-sdk-4.16.1-bin.tar.gz.asc
> gpg: assuming signed data in 'apache-flex-sdk-4.16.1-bin.tar.gz'
> gpg: Signature made mer. 15 nov. 2017 09:44:37 CET
> gpg:                using RSA key 44998F3E242727E94C4BADEB6B0A7EC905061FC8
> gpg: Can't check signature: No public key
>
> $ gpg --search-keys 44998F3E242727E94C4BADEB6B0A7EC905061FC8
> gpg: data source: http://192.146.137.99:11371
> (1)  Piotr Zarzycki (CODE SIGNING KEY) <[hidden email]>
>        4096 bit RSA key 6B0A7EC905061FC8, created: 2017-06-17 (revoked)
> Keys 1-1 of 1 for "44998F3E242727E94C4BADEB6B0A7EC905061FC8".  Enter number(s), N)ext, or Q)uit >
>
>
> Baptiste
>
Fact checkin what? I didn't respond to a specific case, I responded to a
general statement:

"I usually don't use pgp on my aur packages because people tend to
complain a lot about building issues."

And that statement applies to parts of your comment as well... no I
frankly don't understand that someone would not like to because its
stress. We then better add base-devel to makedepends as well, right?


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

tur-users mailing list
In reply to this post by tur-users mailing list
On Sun, 14 Oct 2018 18:35:53 -0300
Daniel Bermond via aur-general <[hidden email]> wrote:

> I usually don't use pgp on my aur packages because people tend to
> complain a lot about building issues. They fail to handle the keys and
> start complaining to the packager, and this is a big stress. When
> dealing with repository packages this is another story, of course. Since
> this was raised as a main issue, I'll be adding the pgp checks back again.
>
> I know that we should not use msg2 because it's makepkg internal. But it
> helps to diagnose user problems by helping to identify at which stage a
> build error is happening. For sure I can remove it if required to. ;)

You're not helping your case. The pgp issue has well been covered, so I'll skip
that for now.

For msg2, the response that you know you're not supposed to use it but decided
to anyway doesn't inspire confidence. printf or echo would have done the job
just as well, but you used something you knew you weren't supposed to?

To clarify, as I originally said, your PKGBUILDs that I spot checked are
generally good and I think you could make a good TU. You seem to be willing to
work with people, and that's a good sign. There's just some things that make me
wonder if now is the time.

Doug

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

tur-users mailing list
In reply to this post by Baptiste Jonglez
On 10/14/18 6:12 PM, Baptiste Jonglez wrote:
> Hi,
>
> On 14-10-18, Daniel Bermond via aur-general wrote:
>> My name is Daniel Bermond and my alias on the AUR and forums is
>> dbermond[1][3].
>>
>> Bruno Pagani (alias: ArchangeGabriel) is sponsoring my Trusted User application. I would like to highly thank Bruno for accepting to be my sponsor.
> Welcome here!
Thank you! :)
>
> I see that you maintain a fair number of useful and popular packages,
> thanks for the work it represents.
>
> I had a look at some of your packages (including the ones you mention
> below), and they are in pretty good shape.
Thanks again. I'm trying my best to give good packages to aur users.

>> I would like to bring the following packages into [community]:
>> - advancecomp
>> - kvazaar
>> - intel-media-sdk
>> - libmysofa
>> - openh264
>> - shine
>> - vmaf
> Out of curiosity, do you plan to only bring these 7 packages to
> [community], or is it just a highlight?  Out of those 7, only 4 are
> currently maintained by you (unless I'm being tricked by the new
> co-maintainer feature), and they are not the most popular packages you
> have.
>
> Baptiste
That package list was an initial one and I can bring more packages
later. But please note that a significant amount of my packages are
either development ones (-git, -hg, etc) or modified packages that
already exist on the repos, and those ones are not eligible for
[community]. I think the following packages are another good ones to
bring into [community], and I'm maintaining:

- firetools
- fs-uae
- fs-uae-launcher
- htmldoc
- laptop-mode-tools
- libemf
- libilbc
- mujs

--

Best regards,
Daniel Bermond



signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

tur-users mailing list
In reply to this post by tur-users mailing list
On 10/14/18 7:06 PM, Eli Schwartz via aur-general wrote:
>
> That's a rather... intimidatingly complex Makefile, by the way. If I
> might ask, what is the purpose of splitting apart the source files then
> recombining them like this? It is slightly similar to how makepkg is
> developed, except we loop through and source a library in
> /usr/share/makepkg ...
>
> Carving apart the headers with sed and relying on the *order* they are
> combined, seems to be defeating the purpose at any rate.

The purpose is to have a single script as the final result, instead of
an executable with installed modules. And yes, using 'source' (the dot
command) was discarded by me during development, so a makefile with
split sources was the choice, being it complex or not. ;) Since the
final script is huge, this make it easier to use and distribute it (it's
just a single file), while making it possible to split the source code
into separated parts for easier maintenance in the future, specially if
the code keeps growing up. When having such a large script in a single
file, it keeps harder and harder to maintain/fix/improve the code, so I
decided to make this way.


>
> ...
>
> The Makefile specifies various targets using e.g. PREFIX := /usr/local,
> surely you meant to use ?= for this? BCOMPDIR should properly be derived
> from $(shell pkg-config bash-completion --variable completionsdir)

Thanks for the suggestions. :)


>
> Your other loops here and there could take advantage of *not* being
> loops, like for make clean, just using rm's builtin -v to print the
> files being removed.

Make clean just erases a single file (screencast) if it is present,
without looping. Even if it was looping, in this way a get a
personalized output message instead of the standard rm message, which I
like ;). And this is not a critical part to worry about loops :)


> I also find it rather odd that you take pains to single-quote your
> static strings in sh snippets like [ -f '$(NAME)' ] and [ -d
> './test/output' ]

I like to quote things in shell code (the part you mentioned are shell
ones). That's just my personal approach. You can see this on the .sh
sources too.


> But, you don't quote things that need quoting, like:
> install -Dm755  ... '$(DESTDIR)'...
>
> (Because DESTDIR can have spaces depending on the makepkg BUILDDIR,
> hence why we always quote "$srcdir" and "$pkgdir", at least until the
> Makefile mangles it for us.)

Ah yes, forgot it there. Thanks for pointing this out! :)


>
> Don't feel bad though, you're nowhere near the only offender at this --
> GNU autotools does it too, so most Makefiles in the world have this issue.

I also see this out there ;)


>
> You probably should not be opinionated in your Makefile, about gzipping
> the manpage. Packaging tools like makepkg already do this (and maybe
> make it configurable). I would say it breaks reproducible builds, but
> you did add the -n flag so at least that is alright.

The purpose of this makefile was to present the regular user with a
proper and well suited installation. If you check the readme it has an
installation section with very basic instructions. Being such, for the
regular user perspective it's better to install a gzipped manpage.
Packagers can modify this at their will.


>
>> I would like to bring the following packages into [community]: -
>> advancecomp
> Too late -- I said I would do that back in my TU application:
> https://lists.archlinux.org/pipermail/aur-general/2017-December/033719.html
>
> And you've reminded me to do so. :p
>
Oh sorry, I missed you saying this about advancecomp :)


--
Best regards,
Daniel Bermond



signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

tur-users mailing list
In reply to this post by tur-users mailing list
On 10/14/18 7:10 PM, Levente Polyak via aur-general wrote:

> Hi Daniel,
>
> On 10/14/18 9:49 PM, Daniel Bermond via aur-general wrote:
>> I have a project of my own called screencast[4], which is a command line interface to record a X11 desktop using FFmpeg, having support for offline recording, live streaming and the capability of adding some effects. It's written in pure POSIX/portable shellscript.
>
> Just took some seconds of reading screencast and i noticed the following
> that you may want to fix as i didn't spot in a 10sec lookup what would
> mitigate the following:
>
> https://github.com/dbermond/screencast/blob/HEAD/src/settings_general.sh#L31
>
> You are using /tmp here, you should replace processing with a safe user
> owned directory aquired by `mktemp`.
>
> The reason:
>
> Its vulnerable to symlink attacks, you can delete arbitrary user owned
> files via:
> https://github.com/dbermond/screencast/blob/HEAD/src/system.sh#L31
>
> Or steal secret data like ssh or gnipg secret keys by moving it outside
> of a user-only accessable folder via a `mv` gadget:
>
> https://github.com/dbermond/screencast/blob/HEAD/src/system.sh#L40
>
> cheers,
> Levente
Hi Levente,

Thank you for pointing this!

Although mktemp is not defined by the POSIX specification, it passes the
shellcheck POSIX test with /bin/sh. I think it will not defeat the POSIX
purpose of the script. Googling for it suggests that it's present
everywhere nowadays. I can check for it's presence on the system and use
it if available, otherwise fallback to the poor /tmp or something else.

I'll be implementing this as soon as I can, and also some Eli suggestions.

--
Best regards,
Daniel Bermond



signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

tur-users mailing list
In reply to this post by tur-users mailing list

On 10/14/18 7:14 PM, Eli Schwartz via aur-general wrote:

> On 10/14/18 5:35 PM, Daniel Bermond via aur-general wrote:
>> I usually don't use pgp on my aur packages because people tend to
>> complain a lot about building issues. They fail to handle the keys and
>> start complaining to the packager, and this is a big stress. When
>> dealing with repository packages this is another story, of course. Since
>> this was raised as a main issue, I'll be adding the pgp checks back again.
> It's very simple to handle people who refuse to learn how the AUR works:
> refuse to acknowledge anything they say, and simply respond with "learn
> how to makepkg".
>
> Removing pgp checks in the general case is not okay, even if "it's just
> an AUR package, so no one cares about security because it's all garbage,
> right?"
Thanks for the suggestions. I'll use pgp whenever possible on aur
packages then.


>> I know that we should not use msg2 because it's makepkg internal. But it
>> helps to diagnose user problems by helping to identify at which stage a
>> build error is happening. For sure I can remove it if required to. ;)
> I've yet to come across a single justified case of using msg2, anyone
> who knows how to read an error message in the first place doesn't need
> this help.
>
> There's no rule against it per se, but I regard it as... messy.
> Especially in the example Doug indicated, it seems to be wildly
> overcomplicating the build and package functions.
Ok, I'll be removing msg2 from all my packages, or use printf/echo
instead like mentioned by Doug in his message.


--
Best regards,
Daniel Bermond



signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

tur-users mailing list
In reply to this post by tur-users mailing list

On 10/14/18 7:16 PM, Levente Polyak via aur-general wrote:

> On 10/14/18 11:35 PM, Daniel Bermond via aur-general wrote:
>> I usually don't use pgp on my aur packages because people tend to
>> complain a lot about building issues. They fail to handle the keys and
>> start complaining to the packager, and this is a big stress. When
>> dealing with repository packages this is another story, of course. Since
>> this was raised as a main issue, I'll be adding the pgp checks back again.
>>
> So let me summarize what you are saying, correct me if im wrong:
>
> You fully know whats all the gizzle with gpg. Instead of acting like a
> trustable user who follows best practice and spreads good advice and
> helps teaching people about how all this works properly you prefere to
> pull the lazy card because its what? big stress? Serious?
> I don't even find words to describe how untrustworthy this is to the
> community to prefer to remove GPG signatures instead of educating users?
>
> PS: Did you hear of pinned comments?
>
> WOW I'm speechless at best.
Sorry then. I'll be using gpg checks whenever it's available from now on.

--
Best regards,
Daniel Bermond



signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TU Application: Daniel Bermond (dbermond)

tur-users mailing list
In reply to this post by tur-users mailing list
On 10/14/18 7:36 PM, Doug Newgard via aur-general wrote:

> On Sun, 14 Oct 2018 18:35:53 -0300
> Daniel Bermond via aur-general <[hidden email]> wrote:
>
>> I usually don't use pgp on my aur packages because people tend to
>> complain a lot about building issues. They fail to handle the keys and
>> start complaining to the packager, and this is a big stress. When
>> dealing with repository packages this is another story, of course. Since
>> this was raised as a main issue, I'll be adding the pgp checks back again.
>>
>> I know that we should not use msg2 because it's makepkg internal. But it
>> helps to diagnose user problems by helping to identify at which stage a
>> build error is happening. For sure I can remove it if required to. ;)
> You're not helping your case. The pgp issue has well been covered, so I'll skip
> that for now.
>
> For msg2, the response that you know you're not supposed to use it but decided
> to anyway doesn't inspire confidence. printf or echo would have done the job
> just as well, but you used something you knew you weren't supposed to?
Ok, I'll not be using msg2 anymore from now on and will remove it from
packages.


>
> To clarify, as I originally said, your PKGBUILDs that I spot checked are
> generally good and I think you could make a good TU. You seem to be willing to
> work with people, and that's a good sign. There's just some things that make me
> wonder if now is the time.
>
> Doug
I understand.

--
Best regards,
Daniel Bermond



signature.asc (499 bytes) Download Attachment
12