Hey Christian! On 2019-02-25 6:21 PM, Christian Rebischke via aur-general wrote:
1. Can you describe in a few sentences how you build your packages for the AUR and for your own repository?
For the AUR: I just run makepkg -i and makepkg --printsrcinfo > .SRCINFO. I keep it pretty casual for the AUR. For my own repository: I have a script called pkgkit[0] which automates some of the work. It automatically takes care of things like bumping pkgrel & checksums, common sources of human error. Then I submit it to my CI with this[1] build manifest, which boots up a fresh Arch Linux VM to build the package on, and uploads it to my repo. [0] https://git.sr.ht/~sircmpwn/sr.ht-pkgbuilds/tree/master/pkgkit [1] https://git.sr.ht/~sircmpwn/sr.ht-pkgbuilds/tree/master/build.yml
2. How do you keep track of updates of upstream software? Do you use a specific software for it? Which one?
For the AUR I don't keep up with upstream releases, I just wait for someone to mark the package as outdated. For Alpine Linux I use a combination of subscribing to the upstream -announce mailing list and subscribing to GitHub releases as appropriate; would do something similar for Arch Linux community.
3. Do you plan to socialize with the community? If yes: on which plattforms? If no: why?
Sure, and I already do some. Just on IRC.
4. What do you like about Arch Linux at most? What do you hate about it? (You can be open here, I will not judge ^___^)
I like that everything is up to date and for the most part Just Werks. I dislike glibc and systemd, but we needn't take that particular flamewar any further than that.
5. Are you willing to attend real-life meetups on conferences like FrosCon, CCC, etc?
Yep. I met many Arch Linux developers at FOSDEM a few weeks ago.
6. Do you have any experience with security?
This is a pretty broad and open ended question. I suppose my answer is "yes"?
7. A user opens a bug report, where the user reports a security vulnerability in one of your packages. The security vulnerability is unknown and seems to be a 0-day. How do you react?
I let upstream know about the issue and then hand them the reins. I consider security vulnerability an upstream problem and delegate authority on how to proceed to them. When a fix is available I'll ship it in my Arch package. I'm not really into the whole responsible disclosure aka pressuring upstream into fixing it yesterday kind of approach.
Thats all from me. Thanks for your hard work with sway btw :)
:)