On Thu, Aug 25, 2022 at 08:43:38PM +0300, Leonidas Spyropoulos via aur-general wrote:
I'm the maintainer or co-maintainer for a few OpenBSD-derived packages in the AUR: openiked, rpki-client, and openbgpd. I've been involved with OpenBSD since 2014 and became a project committer there in early 2016.
In the last two years I've submitted just over 150 patches to the Arch bug tracker: https://bugs.archlinux.org/index.php?opened=32638&status%5B%5D=
Many of these patches and bugs are switching to https and signed commits and given the limited AUR packages (3) you are involved as maintainer / co-maintaner I don't see a lot of PKGBUILDs to have a view on your packaging history.
Supply chain attacks are an area of interest for me, so getting more of our packages to use secure downloads and PGP verification has been one of my main focuses so far. When I first started building Arch packagees, I did a fairly deep dive into the repositories to find anything that was being pulled over HTTP or unencrypted git:// links. Some of the added PGP verification has been a result of me convincing the upstream projects to use it consistently. I think it's an effort worth pursuing.
My use of the AUR is somewhat limited, but the PKGBUILDs there should give you a general idea of my familiarity.
Some community packages I'd like to co-maintain are openntpd, opensmtpd, libressl, sndio, mandoc, signify, dnscrypt-proxy, bmake, scrot, firejail, xcalib, mktorrent, parallel, ncmpcpp...
Some of these are with a sole maintainer which is great since they could be busy +1
I tried to pick ones with two or fewer maintainers. There are some others I'd be glad to co-maintain, but didn't feel like it was necessary when they had more than two maintainers already.
And more (frankly, lots more) in the core/extra repos if that option opens up in the future. [..] If I'm accepted, one of my goals will be to get missing security fixes into Arch's repository shortly after their upstream release.
What stops you from opening bug report and submitting patches for those now without being a TU? If these are in core/extras your options would be the same as you have now, right?
As far as core/extra repos go, yes, I'll still be stuck submitting missing security fixes through the bugtracker for the time being. My hope is to one day gain access to those through becoming a developer, at which time I can get a lot more work done and make a bigger positive impact. Becoming a TU would be a good first step in that process though.
Thanks for your reply.