On Wed, Jun 01, 2005 at 02:29:37PM -0500, Aaron Griffin wrote:
On 6/1/05, Dusty Phillips <buchuki@gmail.com> wrote:
Since AUR can contain unofficial PKGBUILDs, I question the utility of this? Why don't users with binary package dbs submit the packages to AUR instead.
The answer, of course, will be "because they have to build the packages themselves". To this end, I think a script based on sourcepac that automatically downloads PKGBUILDs and builds them would be more useful.
This was discussed a while back - and the answer is the same old "security".
The AUR has no validation for PKGBUILDs... I could submit a PKGBUILD that has an install file that runs "rm -rf /" and the AUR will handle it just fine... an automated command to download a PKGBUILD from the AUR, and makepkg it without any checking, I can wipe your harddrive when you try to install madwifi from AUR
There's a subtlety here that I think you've missed. The AUR can have contributions from anyone, with very weak-grained (opposite of fine-grained) control over who's packages you see. Essentially it'd be one huge personal repo that anyone could submit to. You have to trust everyone in existence if you trusted a random package from AUR. A personal repo is usually run by a single person. It's fairly easy to say if you trust that one person's packages or not. By using a personal repo, I'm implicitly trusting the maintainer of that repo. By using a automatic-package-installing AUR, I'm implicitly trusting anyone with enough brains to create an AUR account. Jason -- If you understand, things are just as they are. If you do not understand, things are just as they are.