Hello,
I'd say automation is fine, if it opened a pull request which can be reviewed and tested. But blindly pushing new versions to the AUR is for me a no-go.
Yes, but the main part of this thread was not to discuss automation, that is not the issue. The issue is people want fully automated maintaining of AUR packages, which is just not possible. And this entire thread has been trying to prove CI/CD is intelligent enough to spot ALL the errors which could occur during a build and say that CI/CD can check them all, which is just not possible. I think people are forgetting that as a Maintainer you are meant to look into each update, read the change logs, check if there is any incompatibilities, patch out anything which is non-free (if possible) or patch any issues with the source which might not compile on Arch Linux for whatever reason, check new dependencies, check if dependencies have been removed, check if the compile procedure has changed, and thus the PKGBUILD will need rewriting, the list goes on. Sure a PR to bump the release is always nice, but it should be checked against all the things I have named above, and then merged, then you push it manually. If you don't have the time for the above? try maintaining less packages, or try finding more time, there is no cheat code to maintaining packages.
In simple terms, automation is good, using it carelessly is bad.
Well even carelessly it isn't bad, someone should always check whatever CI/CD task which is executed. I feel developers rely too much on CI/CD these days and want to write a script to do everything, without realising that their intervention is still needed.
How can the Arch community educate the aur maintainers to not push untested PKGBUILDs?
You cant! As I highlighted in a earlier post, the AUR is digging through PKGBUILDs until you find a decent one. TUs don't have all day to go through all packages and check whether they are sticking to the packaging guidelines. As far as I am aware, they mainly focus on ensuring no illegal packages are on the AUR, and no malicious packages, along with dealing with disputes about who should maintain what. If you feel that a package is poorly maintained, ask for co-maintainer or submit a patch to fix whatever it is. I do feel the packaging guidelines should reflect what both Anthraxx and Jelle has recommended. And I kindly ask for the sake of the people who use fully automated packages to please stop, you do not need to update the package within 2 hours of it being flagged out of date, you have upwards of 6 months until the package is orphaned, there is no reason to not be reviewing your packages before committing. Remember to always check a package before you build it, hopefully the TUs find and remove most of the malicious packages, but you better be safe than sorry. Have a good evening, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev