Regarding QA

[Michael Schwendt]

On Fri,  6 Feb 2004 01:02:00 -0600, Eric Rostetter wrote:

> * how do you know what packages to test (only with slocate was it announced
> on the list, before that you had to know where to look, remember to look,
> etc)

[in addition to the other reply to this] 

At bugzilla.fedora.us, Fedora Legacy has an own "product" where package
requests and/or bugs can be filed. In addition to that, in tickets with
Fedora Legacy relevance, the "LEGACY" keywords is set and makes queries
easy (bugzilla keywords and other bugzilla details are explained when
e.g. you follow the links at the top of a ticket). I think slocate had
been mentioned on the list before the ticket was opened, though.
 
> * If you don't know how to use the package, how do you know if it works?
> (so I can't help test apt if I don't have any docs on how to use it, etc)

Valid point and also one reason (besides lack of human resources and lack
of interest) why some packages are stuck in the fedora.us queue. Anyone
who would like to give apt a try, could help though and simply start using
the program daily. With updates, some fixes and packages can be reviewed
at the source code level. For instance, sometimes a trivial one-line patch
closes a buffer overflow problem, and if they built binary packages
matches the previous binary package very closely, there's no reason to be
concerned.

> * Once I see it works, how do I report that it works?

Comments on packages are to be added to the corresponding bugzilla ticket.
 
> * How do I verify I'm testing the correct package (gnupg signature checks,
> etc)

A package should be signed with the packager's key (and official Fedora
Legacy packages signed with the Fedora Legacy key). "rpm -Kv filename.rpm"
gives information on package integrity and signatures. Additionally,
together with the package the MD5 or SHA1 checksum is likely posted.
"md5sum filename" or "sha1sum filename" must return the same checksum.

Since GPG keys are imported into the RPM database ("rpm --import keyfile"),
make sure you only import keys of people you want to import.

> * How do I get a gnupg signature?

The introduction in /usr/share/doc/gnupg-*/README might help if Google
doesn't find tutorials or beginners' guides (it should!). There's also
software that makes working with keys and keyrings easier, e.g. the
graphical GPA (package "gpa" at fedora.us).

> Do I need to register it somewhere? how?
> Where?

To spread a public key, it can be uploaded in ASCII exported form to
public keyservers, such as http://pgp.mit.edu:11371/ and
http://www.keyserver.net/

> * How do I sign a message?

At the commandline for example

  gpg --clearsig file

and the rest is interactive and provided that you have a default secret
key. That would create a signed file "file.asc" (.asc => ASCII).

> What does cleartext sign mean?  etc.

It's when the signed part is enclosed with a header (-----BEGIN PGP SIGNED
MESSAGE-----), the signature is appended at the bottom, both in ASCII
encoded form suitable for direct inclusion in a mail, and the signed part
stays readable because it is not encoded (except that special sequences
are escaped). Example:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello World!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAI6Lr0iMVcrivHFQRAu3EAJ9gadwyNnU5zmRHk4A8ZN3SoMh7RwCggFpJ
rx0K2+fqWTWKUImFI93Yh7o=
=WKXp
-----END PGP SIGNATURE-----

One can cut'n'paste such a block of text into a file and verify it
with "gpg --verify file", for instance.

> Please review the QA.php file I posted.

It's good where it starts at the top of the procedure, that is rebuilding
a src.rpm, extracting a src.rpm and so on. It's not good where it copies
fedora.us guidelines which don't apply to Fedora Legacy. E.g. you don't
want to replace with rpm macros any hardcoded paths in a spec file, if
that packages has been building and working fine for ages and it is only
added an additional patch.
 
--