On Sun, 2 Jul 2017 03:49:10 -0400, Eli Schwartz via aur-general wrote:
... That is entirely up to the maintainer of said package.
Hi, yes and this shouldn't change. I just want to suggest to be responsible and add a note.
Even if it weren't entirely up to the maintainer to pin comments, who are you proposing should be responsible for determining what packages should come with warnings, and then providing such warnings? And what makes you think people will *see* those warnings for packages that are typically not installed on their own, but as dependencies for something else?
Next!
Apart from the risks mentioned, if you e.g. google for webkit+CVE+linux and similar search terms, we could assume that if a package gets dropped from official Arch repositories and from other distros as well for security reasons, those reasons are high security risks that never or much to seldom get fixed. If upstream is aware of such issues, they usually try to get rid of such a dependency or at least allow to build without webkit or any other high risk vulnerable software, so Arch repositories provide claw-mail without the fancy plugin, provide guitaerix2 compiled without webkit and browsers based upon webkit are removed from the Arch Wiki lists of applications, https://wiki.archlinux.org/index.php/List_of_applications/Internet#WebKit-ba... , even while they still might be available by the AUR, at least xombrero still is. So AUR PKGBUILDs like qtwebkit, webkitgtk and webkitgtk2 are easy to identify as objectively highly risky. If other high risk vulnerable software is provided, it would be easy for the maintainer to identify this software as well. If software, as the mentioned webkit is discussed for more than a year and they e.g. were on an Arch phasing out todo list, before they were completely removed from official repositories, it's not that much a subjective opinion. Ok, using an AUR helper like yaourt would displays the latest comments only, but not pinned comments. With or without an AUR helper, it doesn't harm to care a little bit about comments, as well as pinned comments, instead of building everything without care. Maybe a comment add to the PKGBUILD of high risk vulnerable software could be done, too. Note "Warning: Carefully check all files. Carefully check the PKGBUILD and any .install file for malicious commands." - https://wiki.archlinux.org/index.php/Arch_User_Repository#Build_and_install_... So we could assume that users tend to take a look at the PKGBUILD and would notice a warning. The PKGBUILD even could provide a msg. Messages not necessarily are limited to information such as msg "applying patch-${_pkgver}" it also could provide a warning. Regards, Ralf