Hi, On 14-10-18, Doug Newgard via aur-general wrote:
Decided to take a quick look at your PKGBUILDs, and just a few spot checks makes me wonder. The first one I click on is apache-flex-sdk, I see that you aren't the original submitter, so I look at the git log and see that the first thing you did when taking over this was to remove pgp checks from the source. WTF. Look at the PKGBUILD, see a totally useless prepare function, ok, not a big thing. Let's check another one, clicked on flif, see msg2s being used for no reason and bad conflicts. Click on a couple more, see that those issues aren't mistakes, they're a fundamental misunderstanding.
Maybe my perception was colored by that really bad decision to remove the pgp checks, and while the PKGBUILDs are mostly fine, there seems to be things about packaging that you don't understand yet. Is it time to become a TU already?
Well, as always, you could start by not being immediately aggressive towards people. Judging from the handful of PKGBUILDs I've read, the quality is really high overall, they don't even have most of the "classical" small mistakes (there is source renaming when needed, etc). We don't require new TUs to do everything perfectly, and nothing is ever perfect anyway. There's always something new to learn. Regarding the PGP checks, there is no question that they are very useful and desirable for packages in our repositories. I am sure that Daniel will make efforts to add PGP checks wherever possible when he moves packages to [community]. But for the AUR, the situation is a bit different (in my opinion) because I know it throws some people off when they don't know that they have to import a PGP key to build the package. I tend to include them anyway now, but I would understand that somebody would like not to. Anyway, for the specific case of apache-flex-sdk, look at the comments: the signing key simply seemed to have expired. Baptiste