August 2014 - Aur-general - lists.archlinux.org

[aur-general] Signoff report for [community-testing]
by Arch Website Notification 13 Aug '14

13 Aug '14

=== Signoff report for [community-testing] === https://www.archlinux.org/packages/signoffs/ There are currently: * 4 new packages in last 24 hours * 0 known bad packages * 0 packages not accepting signoffs * 0 fully signed off packages * 20 packages missing signoffs * 0 packages older than 14 days (Note: the word 'package' as used here refers to packages as grouped by pkgbase, architecture, and repository; e.g., one PKGBUILD produces one package per architecture, even if it is a split package.) == New packages in [community-testing] in last 24 hours (4 total) == * ibus-skk-1.4.1.20140813-1 (i686) * libskk-1.0.1-3 (i686) * ibus-skk-1.4.1.20140813-1 (x86_64) * libskk-1.0.1-3 (x86_64) == Incomplete signoffs for [community] (20 total) == * aegisub-3.2.0-2 (i686) 0/1 signoffs * electricsheep-2.7b33-17 (i686) 0/1 signoffs * erlang-17.1-2 (i686) 0/1 signoffs * filezilla-3.9.0.2-1 (i686) 0/1 signoffs * ibus-skk-1.4.1.20140813-1 (i686) 0/1 signoffs * libskk-1.0.1-3 (i686) 0/1 signoffs * mediainfo-gui-0.7.69-2 (i686) 0/1 signoffs * poedit-1.6.7-2 (i686) 0/1 signoffs * springlobby-0.196-2 (i686) 0/1 signoffs * wxcam-1.1-6 (i686) 0/1 signoffs * aegisub-3.2.0-2 (x86_64) 0/2 signoffs * electricsheep-2.7b33-17 (x86_64) 0/2 signoffs * erlang-17.1-2 (x86_64) 0/2 signoffs * filezilla-3.9.0.2-1 (x86_64) 0/2 signoffs * ibus-skk-1.4.1.20140813-1 (x86_64) 0/2 signoffs * libskk-1.0.1-3 (x86_64) 0/2 signoffs * mediainfo-gui-0.7.69-2 (x86_64) 0/2 signoffs * poedit-1.6.7-2 (x86_64) 0/2 signoffs * springlobby-0.196-2 (x86_64) 0/2 signoffs * wxcam-1.1-6 (x86_64) 0/2 signoffs == Top five in signoffs in last 24 hours == 1. eric - 2 signoffs 2. bisson - 2 signoffs

1 0

[aur-general] Signoff report for [community-testing]
by Arch Website Notification 12 Aug '14

12 Aug '14

=== Signoff report for [community-testing] === https://www.archlinux.org/packages/signoffs/ There are currently: * 16 new packages in last 24 hours * 0 known bad packages * 0 packages not accepting signoffs * 0 fully signed off packages * 30 packages missing signoffs * 0 packages older than 14 days (Note: the word 'package' as used here refers to packages as grouped by pkgbase, architecture, and repository; e.g., one PKGBUILD produces one package per architecture, even if it is a split package.) == New packages in [community-testing] in last 24 hours (16 total) == * aegisub-3.2.0-2 (i686) * electricsheep-2.7b33-17 (i686) * erlang-17.1-2 (i686) * filezilla-3.9.0.2-1 (i686) * mediainfo-gui-0.7.69-2 (i686) * poedit-1.6.7-2 (i686) * springlobby-0.196-2 (i686) * wxcam-1.1-6 (i686) * aegisub-3.2.0-2 (x86_64) * electricsheep-2.7b33-17 (x86_64) * erlang-17.1-2 (x86_64) * filezilla-3.9.0.2-1 (x86_64) * mediainfo-gui-0.7.69-2 (x86_64) * poedit-1.6.7-2 (x86_64) * springlobby-0.196-2 (x86_64) * wxcam-1.1-6 (x86_64) == Incomplete signoffs for [community] (30 total) == * acpi_call-1.1.0-11 (i686) 0/1 signoffs * aegisub-3.2.0-2 (i686) 0/1 signoffs * bbswitch-0.8-15 (i686) 0/1 signoffs * electricsheep-2.7b33-17 (i686) 0/1 signoffs * erlang-17.1-2 (i686) 0/1 signoffs * filezilla-3.9.0.2-1 (i686) 0/1 signoffs * mediainfo-gui-0.7.69-2 (i686) 0/1 signoffs * poedit-1.6.7-2 (i686) 0/1 signoffs * r8168-8.038.00-10 (i686) 0/1 signoffs * rt3562sta-2.4.1.1_r1-9 (i686) 0/1 signoffs * springlobby-0.196-2 (i686) 0/1 signoffs * tp_smapi-0.41-52 (i686) 0/1 signoffs * vhba-module-20140629-6 (i686) 0/1 signoffs * virtualbox-modules-4.3.14-5 (i686) 0/1 signoffs * wxcam-1.1-6 (i686) 0/1 signoffs * acpi_call-1.1.0-11 (x86_64) 0/2 signoffs * aegisub-3.2.0-2 (x86_64) 0/2 signoffs * bbswitch-0.8-15 (x86_64) 0/2 signoffs * electricsheep-2.7b33-17 (x86_64) 0/2 signoffs * erlang-17.1-2 (x86_64) 0/2 signoffs * filezilla-3.9.0.2-1 (x86_64) 0/2 signoffs * mediainfo-gui-0.7.69-2 (x86_64) 0/2 signoffs * poedit-1.6.7-2 (x86_64) 0/2 signoffs * r8168-8.038.00-10 (x86_64) 0/2 signoffs * rt3562sta-2.4.1.1_r1-9 (x86_64) 0/2 signoffs * springlobby-0.196-2 (x86_64) 0/2 signoffs * tp_smapi-0.41-52 (x86_64) 0/2 signoffs * vhba-module-20140629-6 (x86_64) 0/2 signoffs * virtualbox-modules-4.3.14-5 (x86_64) 0/2 signoffs * wxcam-1.1-6 (x86_64) 0/2 signoffs == Top five in signoffs in last 24 hours == 1. allan - 7 signoffs 2. eric - 4 signoffs 3. thestinger - 3 signoffs

1 0

[aur-general] Brother packages and some others
by Berno Strik 11 Aug '14

11 Aug '14

Hello all, Since i'm leaving Arch for Porteus I will be disowning my AUR-packages within the next hour so that other people can take ownership. I've always enjoyed Arch and the community, keep up the good work. Aur maintainer "libernux"

1 0

[aur-general] Inactive TU -- Federico Cinelli
by Lukas Fleischer 11 Aug '14

11 Aug '14

Hi, since it was mentioned on IRC: It looks like Federico Cinelli is inactive and should be brought up for special removal according to [1]. We usually try not to be overly pedantic with these rules, but Federico has been MIA for a long time now: * Last SVN commit on 2013-12-04. * Did not send a mail to the mailing lists for ~6 months. * Inactive on the AUR (there are orphan requests for his packages). * Inactive on the bug tracker. * Inactive on IRC. I sent him an email a couple of days ago but didn't receive a reply. Hope he is doing well! Let the discussion period begin, the voting period will start on 2014-08-05. [1] https://aur.archlinux.org/trusted-user/TUbylaws.html#_special_removal_of_an…

1 2

[aur-general] Signoff report for [community-testing]
by Arch Website Notification 11 Aug '14

11 Aug '14

=== Signoff report for [community-testing] === https://www.archlinux.org/packages/signoffs/ There are currently: * 0 new packages in last 24 hours * 0 known bad packages * 0 packages not accepting signoffs * 0 fully signed off packages * 14 packages missing signoffs * 0 packages older than 14 days (Note: the word 'package' as used here refers to packages as grouped by pkgbase, architecture, and repository; e.g., one PKGBUILD produces one package per architecture, even if it is a split package.) == Incomplete signoffs for [community] (14 total) == * acpi_call-1.1.0-11 (i686) 0/1 signoffs * bbswitch-0.8-15 (i686) 0/1 signoffs * r8168-8.038.00-10 (i686) 0/1 signoffs * rt3562sta-2.4.1.1_r1-9 (i686) 0/1 signoffs * tp_smapi-0.41-52 (i686) 0/1 signoffs * vhba-module-20140629-6 (i686) 0/1 signoffs * virtualbox-modules-4.3.14-5 (i686) 0/1 signoffs * acpi_call-1.1.0-11 (x86_64) 0/2 signoffs * bbswitch-0.8-15 (x86_64) 0/2 signoffs * r8168-8.038.00-10 (x86_64) 0/2 signoffs * rt3562sta-2.4.1.1_r1-9 (x86_64) 0/2 signoffs * tp_smapi-0.41-52 (x86_64) 0/2 signoffs * vhba-module-20140629-6 (x86_64) 0/2 signoffs * virtualbox-modules-4.3.14-5 (x86_64) 0/2 signoffs == Top five in signoffs in last 24 hours == 1. thomas - 1 signoffs

1 0

[aur-general] Discussion about AUR packages signing
by Fabien Dubosson 11 Aug '14

11 Aug '14

Hi, I want to start a discussion about AUR packages signing. If this debate already happened, it means that I'm not really good with Google or unfortunate in the keywords I used in my searches: in these cases forgive me and just give me some pointers. TL;DR I personally "trust" some AUR users who have several good-quality packages, and an optional way to sign AUR packages would permit me to know that I can build and update their packages without worrying too much. Let me introduce my thoughts by explaining the context: when I need an application, I start by looking at the official packages. If it is not existing, I continue by looking in AUR, and eventually if there is no corresponding packages there I wrote my own PKGBUILD and share it. I think this is the most common workflow for arch users. If there is the need to build packages from AUR, preferences differs more between people. Some likes to use AUR-helpers, others try to avoid using unsupported packages, and a last group always build AUR PKGBUILD manually. Official and own-made packages can be used (more-or-less) safely. AUR packages need to be used with precautions, because they come from untrusted users and can be potentially dangerous. Actually this is one of the reason why some people are not using AUR-helpers and prefer to build packages manually. People that avoid to use unsupported packages are not concerned by this discussion, so I'll skip them. People that are building packages manually are doing so mainly to deeply check packages they install, so they must not be very interested with AUR package signing (or maybe are they?). I will then focus on people (like me) that use an AUR-helper in their workflow. I always read PKGBUILDs the first time that I want to install one of them in one of my computers (work, home, laptop). When a new version is released, my AUR-helper will ask me to update it, but after the second or third time I see that the package is well-written, I don't want to look every time at the PKGBUILD, patches and *.install files. In some sense, I start to "trust" to the package owner. With AUR-helpers it is easy to skip this part and just build the packages, but there is a drawback: the package owner can change. The problem with this situation is if the package is orphaned and a new owner start to maintain it, it would not be noticeable. This is where package signing in AUR would be very useful. You give your trust to some users who maintain several good-quality packages. And as long as you build packages signed by those users, you know you are safe to update them without looking at sources. It would also offers some other warranties: no usurpation of maintainer work, no corruption in case of AUR website weakness, etc. Also the solution can be quite simple: The `*.src.tar.gz` can be signed by the owner and the signature file can be uploaded to AUR, next to the source aurball. Later, both files can be downloaded by the user or the AUR-helper and verified with gpg. The rest of the logic must be implemented in AUR-helpers. Some other remarks: - It differs from the notion of TU because the goal is not to give a keyring of trust-able people to all users, but only to permit users who want to trust personally some AUR maintainers to do so. - Of course this doesn't prevent corruption of upstream sources nor offers perfect security. But it is better than nothing, and can potentially focus some unnoticed maintainer changes. - I read some times ago that the goal is to move from AUR to git one day. In this case signing the `*.src.tar.gz` would not be possible and a more complex solution will maybe be needed. Is something like this envisaged? What are your thoughts about this subject? Regards, ++ Fabien

7 11

[aur-general] Signoff report for [community-testing]
by Arch Website Notification 10 Aug '14

10 Aug '14

=== Signoff report for [community-testing] === https://www.archlinux.org/packages/signoffs/ There are currently: * 0 new packages in last 24 hours * 0 known bad packages * 0 packages not accepting signoffs * 0 fully signed off packages * 14 packages missing signoffs * 0 packages older than 14 days (Note: the word 'package' as used here refers to packages as grouped by pkgbase, architecture, and repository; e.g., one PKGBUILD produces one package per architecture, even if it is a split package.) == Incomplete signoffs for [community] (14 total) == * acpi_call-1.1.0-11 (i686) 0/1 signoffs * bbswitch-0.8-15 (i686) 0/1 signoffs * r8168-8.038.00-10 (i686) 0/1 signoffs * rt3562sta-2.4.1.1_r1-9 (i686) 0/1 signoffs * tp_smapi-0.41-52 (i686) 0/1 signoffs * vhba-module-20140629-6 (i686) 0/1 signoffs * virtualbox-modules-4.3.14-5 (i686) 0/1 signoffs * acpi_call-1.1.0-11 (x86_64) 0/2 signoffs * bbswitch-0.8-15 (x86_64) 0/2 signoffs * r8168-8.038.00-10 (x86_64) 0/2 signoffs * rt3562sta-2.4.1.1_r1-9 (x86_64) 0/2 signoffs * tp_smapi-0.41-52 (x86_64) 0/2 signoffs * vhba-module-20140629-6 (x86_64) 0/2 signoffs * virtualbox-modules-4.3.14-5 (x86_64) 0/2 signoffs == Top five in signoffs in last 24 hours == 1. lfleischer - 1 signoffs

1 0

[aur-general] Signoff report for [community-testing]
by Arch Website Notification 09 Aug '14

09 Aug '14

=== Signoff report for [community-testing] === https://www.archlinux.org/packages/signoffs/ There are currently: * 0 new packages in last 24 hours * 0 known bad packages * 0 packages not accepting signoffs * 0 fully signed off packages * 14 packages missing signoffs * 0 packages older than 14 days (Note: the word 'package' as used here refers to packages as grouped by pkgbase, architecture, and repository; e.g., one PKGBUILD produces one package per architecture, even if it is a split package.) == Incomplete signoffs for [community] (14 total) == * acpi_call-1.1.0-11 (i686) 0/1 signoffs * bbswitch-0.8-15 (i686) 0/1 signoffs * r8168-8.038.00-10 (i686) 0/1 signoffs * rt3562sta-2.4.1.1_r1-9 (i686) 0/1 signoffs * tp_smapi-0.41-52 (i686) 0/1 signoffs * vhba-module-20140629-6 (i686) 0/1 signoffs * virtualbox-modules-4.3.14-5 (i686) 0/1 signoffs * acpi_call-1.1.0-11 (x86_64) 0/2 signoffs * bbswitch-0.8-15 (x86_64) 0/2 signoffs * r8168-8.038.00-10 (x86_64) 0/2 signoffs * rt3562sta-2.4.1.1_r1-9 (x86_64) 0/2 signoffs * tp_smapi-0.41-52 (x86_64) 0/2 signoffs * vhba-module-20140629-6 (x86_64) 0/2 signoffs * virtualbox-modules-4.3.14-5 (x86_64) 0/2 signoffs == Top five in signoffs in last 24 hours ==

1 0

[aur-general] Delete Request
by sxe 08 Aug '14

08 Aug '14

The maintainer switched to GIT only so i renamed the package. Please delete: https://aur.archlinux.org/packages/kdestyle-kvantum-kde4/ Thanks, Andy

2 1

[aur-general] Signoff report for [community-testing]
by Arch Website Notification 08 Aug '14

08 Aug '14

=== Signoff report for [community-testing] === https://www.archlinux.org/packages/signoffs/ There are currently: * 2 new packages in last 24 hours * 0 known bad packages * 0 packages not accepting signoffs * 0 fully signed off packages * 16 packages missing signoffs * 0 packages older than 14 days (Note: the word 'package' as used here refers to packages as grouped by pkgbase, architecture, and repository; e.g., one PKGBUILD produces one package per architecture, even if it is a split package.) == New packages in [community-testing] in last 24 hours (2 total) == * libgit2-1:0.21.1-1 (i686) * libgit2-1:0.21.1-1 (x86_64) == Incomplete signoffs for [community] (16 total) == * acpi_call-1.1.0-11 (i686) 0/1 signoffs * bbswitch-0.8-15 (i686) 0/1 signoffs * libgit2-1:0.21.1-1 (i686) 0/1 signoffs * r8168-8.038.00-10 (i686) 0/1 signoffs * rt3562sta-2.4.1.1_r1-9 (i686) 0/1 signoffs * tp_smapi-0.41-52 (i686) 0/1 signoffs * vhba-module-20140629-6 (i686) 0/1 signoffs * virtualbox-modules-4.3.14-5 (i686) 0/1 signoffs * acpi_call-1.1.0-11 (x86_64) 0/2 signoffs * bbswitch-0.8-15 (x86_64) 0/2 signoffs * libgit2-1:0.21.1-1 (x86_64) 0/2 signoffs * r8168-8.038.00-10 (x86_64) 0/2 signoffs * rt3562sta-2.4.1.1_r1-9 (x86_64) 0/2 signoffs * tp_smapi-0.41-52 (x86_64) 0/2 signoffs * vhba-module-20140629-6 (x86_64) 0/2 signoffs * virtualbox-modules-4.3.14-5 (x86_64) 0/2 signoffs == Top five in signoffs in last 24 hours == 1. fyan - 6 signoffs 2. foutrelis - 4 signoffs 3. eric - 4 signoffs 4. ronald - 2 signoffs

1 0