On Wed, Feb 03, 2010 at 06:04:52PM +0000, Pierre Chapuis wrote:
Le Wed, 03 Feb 2010 15:41:38 +0100, Thomas Bächler <thomas@archlinux.org> a écrit :
I think it is a good idea. We could create the "AUR moderator" position instead of calling it "Semi-TU".
When I was a TU, I didn't care at all about moderating the AUR, and maybe other TUs feel the same and rather do packaging. Conversely, you don't seem to care about packaging but about AUR moderation.
I am forwarding this to arch-dev-public for reference, but I guess ultimately the TUs have to decide.
I even think it could be a good idea to have "real" Trusted Users in the sense that they can be trusted as to which packages they publish on the AUR, not necessarily in binary form. They would be approved by some process, and then added to a list which could be used by software like yaourt / pakthan / bauerbill to let the users install their packages without checking the PKGBUILDs. The fact that a package on the AUR is maintained by one of these users (they would include current TUs and devs) would be accessible in the metadata (through the json RPC for example).
I know there used to be a flag like that on the AUR and that it didn't work, but I think it's mainly because it was on a "by package" basis instead of a "by user" basis, which makes it a lot more work for those who have to check.
As for what should be checked when users apply for this position, I would say at least:
- a sufficient expertise in packaging, proved by the existence of several good packages maintained by them on the AUR, and - a means to contact them efficiently (valid email address).
Anyway this is just my two cents as an Arch user, but I consider the lack of any way to trust AUR PKGBUILDs without reading them to be the thing that annoys me most with Arch as of now.
What about a peer trust network? Publishing packages on the AUR would involve giving an pgp public key. People sign their PKGBUILDs using their private key. People can define trust relationships towards other people ("I trust this person to write good PKGBUILDs" and "I trust this person's trust in other's"). Being a TU would mean to be signed by the TU-Authority (or whatever) and trusting the TU authority's trust would mean you can install packages that are created by TU's. -- Florian Friesdorf <flo@chaoflow.net> GPG FPR: EA5C F2B4 FBBB BA65 3DCD E8ED 82A1 6522 4A1F 4367 Jabber/XMPP: flo@chaoflow.net OTR FPR: 9E191746 213321FE C896B37D 24B118C0 31785700 IRC: chaoflow on freenode,ircnet,blafasel,OFTC