On Tue, Jun 9, 2015 at 5:53 PM, Ido Rosen <ido@kernel.org> wrote:
I think some of the orphans on AUR are just maintained by multiple people. The usage pattern is:
Person A adopts, updates, and disowns. Person B some time later notices it's out of date, adopts, updates, disowns.
It seems perfectly reasonable to have multiple people maintain a package over time this way. Maybe we just need better support for this style of non-maintainership that isn't quite "orphaned"? Support for multiple maintainers/collaborators like on GitHub repos? (Outright owning a package in AUR prevents anyone else from updating it.)
It also prevents a third party (Mallory) from taking it over and: (a) replacing it with something else (malware?); (b) preventing Alice and Bob from updating it; (c) requesting deletion; (d) [insert other harmful actions here].
if someone wants to update a package faster than I can get to it […]
You should use some service that would tell you about package updates, for example requires.io for Python, or RSS feeds. Will take 5 minutes to do it in many cases (to update pkgver and the checkums) -- Chris Warrick <https://chriswarrick.com/> PGP: 5EAAEA16