On Sun, 14 Oct 2018 23:38:54 +0200 Baptiste Jonglez <baptiste@bitsofnetworks.org> wrote:
Hi,
On 14-10-18, Doug Newgard via aur-general wrote:
Decided to take a quick look at your PKGBUILDs, and just a few spot checks makes me wonder. The first one I click on is apache-flex-sdk, I see that you aren't the original submitter, so I look at the git log and see that the first thing you did when taking over this was to remove pgp checks from the source. WTF. Look at the PKGBUILD, see a totally useless prepare function, ok, not a big thing. Let's check another one, clicked on flif, see msg2s being used for no reason and bad conflicts. Click on a couple more, see that those issues aren't mistakes, they're a fundamental misunderstanding.
Maybe my perception was colored by that really bad decision to remove the pgp checks, and while the PKGBUILDs are mostly fine, there seems to be things about packaging that you don't understand yet. Is it time to become a TU already?
Well, as always, you could start by not being immediately aggressive towards people.
Please read my email again, it was not aggressive in any way. My response to your candidate would be aggressive, I'm still deciding if I want to actually send that.
Judging from the handful of PKGBUILDs I've read, the quality is really high overall, they don't even have most of the "classical" small mistakes (there is source renaming when needed, etc). We don't require new TUs to do everything perfectly, and nothing is ever perfect anyway. There's always something new to learn.
I'm not talking about expecting perfection, I'm seeing consistent issues that point to a possible misunderstanding on how packaging is handled. That is a cause for concern and worth being brought up.
Regarding the PGP checks, there is no question that they are very useful and desirable for packages in our repositories. I am sure that Daniel will make efforts to add PGP checks wherever possible when he moves packages to [community]. But for the AUR, the situation is a bit different (in my opinion) because I know it throws some people off when they don't know that they have to import a PGP key to build the package. I tend to include them anyway now, but I would understand that somebody would like not to.
The situation in the AUR is no different at all. Downgrading PKGBUILDs to appease users who don't want to learn anything is is a serious problem and is a cause for grave concerns.
Anyway, for the specific case of apache-flex-sdk, look at the comments: the signing key simply seemed to have expired.
Baptiste