On February 28, 2019 12:43:02 PM EST, Eli Schwartz via aur-general <aur-general@archlinux.org> wrote:
On 2/28/19 11:22 AM, Daniel M. Capella via aur-general wrote:
On February 28, 2019 8:58:06 AM EST, Jerome Leclanche <jerome@leclan.ch> wrote:
<snip>
OT: We should maybe have the AUR lint PKGBUILDs on git push (and reject really bad ones) if we want to improve that situation.
J. Leclanche
I've been thinking enforcing the use of makechrootpkg and namcap on package submission should be introduced, and maybe even on major (and minor?) version bumps for packages following semver.
LMAO no.
What part of
I would eagerly welcome any way to reliably do exactly that in an automated fashion, with the caveat that doing so more or less inevitably involves arbitrary code execution -- this is the reason why we in fact do not read the PKGBUILD at all, but created the .SRCINFO instead.
was not clear? We are not introducing arbitrary remote code execution by building all AUR packages before accepting them for upload?
You misread.
Furthermore if we were going to do this, we might as well host the binary results and not bother with this whole "AUR" thing at all.
Inb4 yes I'm aware of the number of false-positives in namcap.
If you explicitly state you're aware of the exact, in-depth reason why this is completely a no-go from the start, then... why did you say anything?
In case it wasn't obvious... namcap is an interactive review tool and completely unsuitable for automated judgment of *anything*. I also severely dislike the idea of enforcing ridiculous and inescapable restrictions *for any reason* on users who are doing nothing wrong, which most "namcap is God" victims will be.
In summary, I am putting on my aurweb maintainer hat and saying "no, we shall not enforce any such thing".
Further emails in this irrelevant tangent subthread derail of the TU application process are not necessary and I shall not bother responding to them, or reading further.
Every single reply you've given my emails since ignoring me on IRC has been as rude and oppressive as this one. As such, again I won't bother with a proper response. Please just treat the mailing lists like IRC and ignore me here as well. Also, grow up. -- Best, polyzen