#PackagerLife - kbin.social

Foxboron, 1 month ago to archlinux

The wheels on the rebuild goes build build build. Build Build Build. BUILD BUILD BUILD.

The wheels on the rebuild goes BUILD BUILD BUILD.

All through Python3.12.

#ArchLinux #PackagerLife

reply

expand (4)

collapse (4)

report

activity

copy /kbin url

copy original url

open original url

Loading...

dvzrv, 8 months ago to archlinux

#stalebot considered harmful, edition 9000.

https://github.com/OpenShot/libopenshot/issues/922

Well, gives me one less project to care about! 🤷

#ArchLinux #packagerlife

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

+ markush

dvzrv, 9 months ago to archlinux

Packager and upstream work that could have been avoided by a reasonable phasing out of #OpenPGP signatures for #sdist tarballs on #PyPI: https://archlinux.org/todo/fix-reproducibility-of-packages-broken-by-pypi-removing-signature-files/

#archlinux #packagerlife #python

reply

expand (5)

collapse (5)

report

activity

copy /kbin url

copy original url

open original url

Loading...

dvzrv, 10 months ago to archlinux

It seems we'll have a lot of "fun" with the #PyPi decision to remove signatures for sdist tarballs (https://blog.pypi.org/posts/2023-05-23-removing-pgp/) going forward.

To scream into the void: Yes, PyPi, someone was using those signatures. Distro package maintainers secured user supply chains with it!

I'm not looking forward to asking dozens of upstreams to host their signatures elsewhere (just stumbled across one case). Meanwhile reproducibility is now broken for those packages.

#ArchLinux #packagerlife #Python

reply

expand (13)

collapse (13)

report

activity

copy /kbin url

copy original url

open original url

Loading...

+ onepict, kushal, cnx, puniko +2 more

dvzrv, 11 months ago to random

Today's prize for worst #CVE handling goes to #ncurses for bulk releasing a huge patchset (http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56) for CVE-2023-29491 (probably(?), as it is never mentioned in the NEWS file...) instead of providing atomic patches for changes. Why do people not use git repositories properly, if they have them? 😭

For downstreams this is extremely painful to deal with.

#ArchLinux #packagerlife

reply

expand (4)

collapse (4)

report

activity

copy /kbin url

copy original url

open original url

Loading...

dvzrv, 11 months ago

And of course now we have a regression with #tmux on #ArchLinux 😬

https://bugs.archlinux.org/task/78584

#packagerlife

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

dvzrv, 11 months ago

And #vim is also affected by the latest #ncurses 😢

https://bugs.archlinux.org/task/78585

#ArchLinux #packagerlife

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

dvzrv, 1 year ago to opensource

Some #corporate #opensource #python #upstreams are more cursed than others.

We experience packager drain on #molecule and #ansible related packages, as upstream knowingly breaks compatibility from time to time and doesn't guard or test against it properly. Instead afterwards suggests to "just pin it" 🤡 (which does not work after the fact in system packaging).

Soon they will have their wish fulfilled when no one wants to touch that stuff for packaging anymore...

#ArchLinux #packagerlife

reply

expand (3)

collapse (3)

report

activity

copy /kbin url

copy original url

open original url

Loading...