Comments (6)
FYI, mgitstatus has just been accepted into debian today.
https://tracker.debian.org/pkg/mgitstatus
From Debian 11 (bullseye) and forward, people will be able to:
apt install mgitstatus
from multi-git-status.
Hey lyknode!
To share the awesomeness of this tool, I intend to package it for Debian.
Ah, that's fantastic! Thank you so much for your effort.
I'd suggest to use a Makefile for the build system
I personally really dislike Makefiles, but I understand that's it's much more standard. Given that this is such a small project, I can totally live with getting rid of the build.sla and install.sh files and replacing them with a single Makefile. I'd appreciate a pull request for this, as I always run into problems trying to write them ;-)
To deal with that, mgitstatus.1 would need to be removed and generated, at build time, by users (using make).
I used to write my manpages directly in Troff. The pandoc solution is just a slightly more convenient method for me. If that interferes, I suggest I just port the manpage to plain old Troff, and we put that in the repo as is. We can then completely get rid of the dependency on Pandoc. Is that an idea?
I would suggest to make available a cryptographic signature (using GPG keys) of your release tarball.
That would basically be just generating the release tarball and then generating a detached signature with my private key and uploading both files? I'm going to have to give this some more thought. A release right now is just a press of a button in Github. I want to keep the overhead here as low as possible. Would it add a lot to the security of the project? Right now the only official place to get releases is from the Github releases page, which is already tied to my account.
from multi-git-status.
The simple explanation is that if one cannot reproduce the file bit by bit from the source, it means that the generated files has no source and therefor is not open source.
That's not true. If it isn't the same bit by bit it isn't reproduceable but still open source.
I would suggest to make available a cryptographic signature (using GPG keys) of your release tarball. By publishing the signature along side the source tarballs, you ensure that any modification by a third party will be detected by end-users.
This are just the auto generated tar balls by github. A lot of other packages don't have signed archives either and they where accepted. Also the current state of gpg is not recommendable to anyone not tech savy.
I used to write my manpages directly in Troff. The pandoc solution is just a slightly more convenient method for me. If that interferes, I suggest I just port the manpage to plain old Troff, and we put that in the repo as is. We can then completely get rid of the dependency on Pandoc. Is that an idea?
That should work.
from multi-git-status.
I created #41 which adds a Makefile that represents the current scripts.
If you need help updating it to troff or have any other questions please reach out to me.
from multi-git-status.
To deal with that, mgitstatus.1 would need to be removed and generated, at build time, by users (using make).
I used to write my manpages directly in Troff. The pandoc solution is just a slightly more convenient method for me. If that interferes, I suggest I just port the manpage to plain old Troff, and we put that in the repo as is. We can then completely get rid of the dependency on Pandoc. Is that an idea?
It definitely is a possibility but I would take into account the fact that markdown is way easier for people to read and contribute to as opposed to the Troff format.
Given that pandoc is only a build dependency and final user will not need it, I'd say it fine to keep it and only have the markdown version in the sources.
I would suggest to make available a cryptographic signature (using GPG keys) of your release tarball.
That would basically be just generating the release tarball and then generating a detached signature with my private key and uploading both files? I'm going to have to give this some more thought. A release right now is just a press of a button in Github. I want to keep the overhead here as low as possible. Would it add a lot to the security of the project? Right now the only official place to get releases is from the Github releases page, which is already tied to my account.
Yes, that consist in adding a detached signature of the tarballs next to them.
Well, there have been cases of malicious code added to the release in the opensource community. I can recall at least phpmyadmin where one of sourceforge mirror got compromised (adding a nasty eval $_POST...
). I'm not aware of any breach or corruption on github but no system/platform is perfect. So does the risk exists? yes. Is it likely to happen to a small project like mgitstatus? no.
That being said, it looks like you already own a GPG key and creating the signature is one command away :) It's up to you.
The simple explanation is that if one cannot reproduce the file bit by bit from the source, it means that the generated files has no source and therefor is not open source.
That's not true. If it isn't the same bit by bit it isn't reproduceable but still open source.
That actually depends on the context, when building, yes, generated files can be unreproducible but still be open-source (because you generated from the source), but when distributing the source it's actually another matter. How can you be sure that a file comes from an available source if you can't build it yourself. I totally agree that in the case of mgitstatus, this is technicalities but it already been discussed in Debian and generally package maintainers just get rid of the generated files to avoid the package being rejected.
I would suggest to make available a cryptographic signature (using GPG keys) of your release tarball. By publishing the signature along side the source tarballs, you ensure that any modification by a third party will be detected by end-users.
This are just the auto generated tar balls by github. A lot of other packages don't have signed archives either and they where accepted. Also the current state of gpg is not recommendable to anyone not tech savy.
That is true, packages doesn't get rejected for that reason. It's just a nice to have additional security. Especially since distributions ensure that packages (or they metadata) are signed, it's even better is the trust chain can go up to the upstream sources.
from multi-git-status.
Given that pandoc is only a build dependency and final user will not need it, I'd say it fine to keep it and only have the markdown version in the sources.
Then I'd prefer to keep the Markdown version. Mostly because it can be read straight from Github's UI.
That being said, it looks like you already own a GPG key and creating the signature is one command away :) It's up to you
The benefits outweigh the effort in this case, so I'll set something up in the near future. I do have to check my key hygiene a bit. I'm 100% certain I've never leaked my priv key, but should probably do something with subkeys or something.
it's even better is the trust chain can go up to the upstream sources.
Agreed.
I created #41 which adds a Makefile that represents the current scripts.
Nice, thanks! If you could add the .PHONY tag and update the merge request, I'll merge it asap.
from multi-git-status.
Related Issues (20)
- "backing up" a git tree HOT 1
- syntax examples out of sync HOT 1
- targeting git repos with a nonstandard name/path? HOT 4
- [Question]/suggestion: Auto add to your path? or dot file? HOT 2
- flag remote branches that are ahead of remote master HOT 3
- branches in .git/logs/refs/heads are not checked, but do show up as branches in git-branch HOT 1
- Can we get a new release? HOT 1
- Repositories under 2 levels deep of a regular folder are not checked HOT 2
- Composer install HOT 2
- Not installing (macOS Big Sur) HOT 4
- "No commits yet" reported as "Uncommitted changes" HOT 3
- Got blocked out of server because queries happened too quickly HOT 2
- Very nice tool; thanks HOT 1
- Very slow lately HOT 3
- Install error on M1 macOS Monterey 12.3.1 (21E258) HOT 1
- Fork changes undetected HOT 4
- "find: ./.Trash: operation not permitted" appearing when run in home folder HOT 3
- Add a flag to list branches
- A "no" depth option HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from multi-git-status.