On Tue, Jun 9, 2015 at 12:14 PM, Chris Warrick <kwpolska@gmail.com> wrote:
On Tue, Jun 9, 2015 at 5:53 PM, Ido Rosen <ido@kernel.org> wrote:
I think some of the orphans on AUR are just maintained by multiple people. The usage pattern is:
Person A adopts, updates, and disowns. Person B some time later notices it's out of date, adopts, updates, disowns.
It seems perfectly reasonable to have multiple people maintain a package over time this way. Maybe we just need better support for this style of non-maintainership that isn't quite "orphaned"? Support for multiple maintainers/collaborators like on GitHub repos? (Outright owning a package in AUR prevents anyone else from updating it.)
It also prevents a third party (Mallory) from taking it over and:
(a) replacing it with something else (malware?); (b) preventing Alice and Bob from updating it; (c) requesting deletion; (d) [insert other harmful actions here].
Yes, that's right, and these are all good reasons why we should continue to have ownership, which is why I suggested we support something in-between as well (before I knew about co-maintainership capabilities in AUR, which basically resolve this).
if someone wants to update a package faster than I can get to it […]
You should use some service that would tell you about package updates, for example requires.io for Python, or RSS feeds. Will take 5 minutes to do it in many cases (to update pkgver and the checkums)
Thanks for the suggestion, but these services don't work for some (or most) of the packages I maintain, and some of the packages are academic in nature. For updates that are just updating the pkgver & updpkgsums, I do those myself, but there are cases (major version changes, new feature requests, upstream breaks something, dependent packages break something, etc.) where debugging/more time is needed. That's when it may take me a week or more to get around to updating the package, in which case if someone else with more time gets to it sooner, I encourage them to submit a pull request and add them as a Contributor: (and thank them for helping!). :-) Another thing that having the pull request workflow I use allows is for the users of the package to add things to the package (e.g. optdepends as they come out) and fix bugs. It makes my work after initially creating the package basically just QA to make sure their PRs don't break anything in many cases, which I like.
-- Chris Warrick <https://chriswarrick.com/> PGP: 5EAAEA16