On 01/07/2017 03:32 PM, Bruno Pagani via aur-general wrote:
Hi everyone,
My name is Bruno Pagani (a.k.a. ArchangeGabriel, or just archange [...]
Hey Bruno, nice to hear that you want to join the great ArchLinux project as TU. I am aware the discussion period has not started yet, but I think its fine if I already give some feedback. I've checked your PKGBUILDs and I've noted a few thinks (which I also did wrong or sometimes forget). Those are mostly only concerning security aspects which I find important. If you followed the recent discussion you might have noticed that some people differ from this opinion. Please take it as a kind notice for you, use it if you wish :) * For github download .tar.gz is preferred over .zip in general if i am not wrong. * Prefix your source download with: ${pkgname}-${pkgver}.tar.xz:: if you have a common SRCDIR. I also recently change to a common src dir, as too many packages blow my directories. * You can use https for sourceforge downloads soon/now[1] (bs1770gain) * Thanks for using sha256sums. You may want to use the even stronger sha512sums, as it does not hurt to use stronger hashes *duck* * certbot-user: the gpg keys should have a comment with the owner of the trusted keys (as you did with exfalso, but with email) * mpd-{sserver,}minimal uses a sha1sum. If its an upstream hash please contact them to use stronger hashes and include a stronger one as well. You can use multiple hashes in the PKGBUILD (as in weboob-headless). * powerdevil/spectacle-light uses http downloads. Even though gpg signatures are used, it would be nice to have https available anyways. It seems kde missconfigured their download subdomain for https, so you might want to contact them about that? * What I also do is to put my own GPG ID inside my PKGBUILDs, so people can simpler verify/find my key. Just as an idea. * For those projects who dont use GPG signatures yet, you might want to kindly contact them. I've written a script + instructions for using gpg along with a template to contact upstreams[2]. You might want to check it out. * If you want to move whipper, please consider to take part in the discussion about gpg[3]. Please dont take it personally, some people found them personally offended, while this was not the intention. You have the chance to also speak up for stronger security. I do not want to end this in an offtopic discussion, maybe you can help too ;) Cheers ~Nico [1] https://github.com/arduino/Arduino/pull/5772#issuecomment-269715945 [2] https://github.com/NicoHood/gpgit#a-template-for-contacting-upstreams [3] https://github.com/JoeLametta/whipper/issues/77