Hi guys, I really enjoy our status quo with AUR. This is the first user-repo in the Linux world that is easy to talk to. Just compare to these Ubuntu's PPAs that you first need to find and trust. I really prefer to run yaourt -Ss package-i-am-looking-for, and not to Google for "arch linux package-i-am-looking-for", then call repo-add, etc. Staying in the console is a very big plus for me. I am also satisfied with how AUR users keep it clean. Delete requests (including binaries directly in the PKGBUILD!), merge requests, disown requests... While there could be more automation involved, I do believe AUR is the best user-repo I have ever used. Lastly, I am OK to build the packages myself. After all, I see the PKGBUILD, which is just simple code. Or even alternatively I see where the binaries are downloaded from. If they are downloaded from the upstream I am totally OK with that. Binaries built by AUR wouldn't be nice.
The process could also involve grabbing the files (or hashes) through different Tor exit nodes and comparing them to make sure they're all the same, and there's no attacker messing with the local Internet connection.
This is the *only* improvement I could see for AUR. Not only trust sha256sums provided by the maintainer, but also have a guarantee that these sha256sums are validated by AUR. If they don't match - the package is not available for download. Anything else like binaries built by AUR itself, trusting the users, finding their private repos etc. I do oppose. Regarding the subject (Is Voting Effective?). Theoretically, packages are picked from AUR to [community] according to the number of votes. However, I have never seen anything like that. Any time a new Trusted User candidate asks to join the team, they list packages that they want to move from AUR to [community]. It's totally arbitrary. If there's no one to be interested in maintaining the package, it remains in AUR. Fine by me. -- Kind regards, Damian Nowak StratusHost www.AtlasHost.eu