On 09/05/2017 02:07 PM, Morten Linderud wrote:
Hello Archers and Arch overlords!
# Introduction: My name is Morten Linderud, or better known by Foxboron. I'm writing this application to join the TU team. My sponsor is Jelle van der Waa.
Yay :)
During last years Chaos Communication Congress I got in touch with anthraxx and shibumi. They introduced me to their security meet up along with jelle and rgacogne. This ended up with me assisting the reviewing of security advisories, and i have now added as a CVE reporter to the team.
I can confirm that this happened, and we are happy to have you around for security stuff. Now, i'm going to take a look at your AUR... Let the hunt begin *giggle* archur-git: - VCS package missing provides/conflicts bmusb: - would me more error prone and convenient to keep pkgver in sync when using a pkgver() function for pinned commits and f.e. do: git describe --always | sed 's/^v//;s/-/./g' - url variable points to a 403 page buildah-git: - VCS package missing provides/conflicts - license can be changed to 'Apache' as that is already in common licences and points to version 2.0 - clone URL could use TLS via git+https cryptomator: - cryptomator.sh should use quotes for $PATH as it may contain spaces cubemap: - VCS package missing provides/conflicts - source name must contain something unique for current tarball like commit hash otherwise it collides with an existing download of a previous version and just fails on checksum matching - fails to build: configure: error: Package requirements (libsystemd) were not met, seems to require it dep-git: - VCS package missing provides/conflicts - clone URL could use TLS via git+https - use quotes for $PATH and $GOPATH as it could contain spaces dmenu-extended: - VCS package not named dmenu-extended-git, either rename or use a pinned commit (you promised that a year ago in the comments *giggle* :P :D ) - python packages should have a build function as its building binary artifacts via setup.py and named function is needed in the future to make py packages reproducible jottalib: - uses static string in the source v0.5.1.tar.gz that can be replaced by $pkgver - not an 'any' arch as it builds binary artifacts - seems to contain lot of test cases run by travis, maybe try to include molecule - URL pin-points to 2.0.0.rc12 (which isn't even used anymore) - would me more error prone and convenient to keep pkgver in sync when using a pkgver() function for pinned commits and f.e. do: git describe --always | sed 's/^v//;s/-/./g' - test cases could be run via tox - could build docs like txt and man via sphinx in doc folder - outdated since 20 hours, 2.0.4 release *giggle* nageru - 1.6.2 has been released protege-distribution: - try to build from source rather then redistribute precompiled binary blobs nodejs-how2: - could possibly be pulled via TLS https because why not :P - npm install package should forcefully fixup $pkgdir/usr file/dirs as its a non-deterministic race condition bug that upstream still fails to find and fix. It can lead to node_modules dir being world writable and it contains code, f.e. line 26 : https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packa... nerd-fonts-git: - VCS package missing provides/conflicts python-anyconfig: - uses setuptools entrypoint functionality and therefor must hard depend on python{,2}-setuptools instead of just makedepends - you could distribute the LICENSE.MIT file as MIT is not a common included license - you could run tests via tox python-gilt - package_python2-gilt() must depend on python2 instead of python and python2-giturlparse instead of python-giturlparse - test cases could be run via tox, therefor all py2+3 dependencies should be added to checkdepends and tox be invoked - could build docs like txt and man via sphinx in doc folder python-marshmallow: - test cases could be run via tox, therefor all py2+3 dependencies should be added to checkdepends and tox be invoked - could build docs like txt and man via sphinx in doc folder - you could distribute the LICENSE.MIT file as MIT is not a common - 2.13.6 has been released python-vagrant: - test cases could be run - you could distribute the LICENSE.MIT file as MIT is not a common python-testinfra: - test cases could be run via pytest and included in checkdepends - PBR_VERSION will fail if run with noextract as prepare() is skipped python2-humanize: - python packages should have a build function as its building binary artifacts via setup.py and named function is needed in the future to make py packages reproducible - it depends on python while this is a python2 package - test cases and docs can be used if github sources are fetched instead python-rofi: - should use prefixed source with $pkgname and $pkgver to have a unique file per version and package as it may conflict with a global source dest setup python-pychromecast: - pkgdesc says "Library for Python 2 and 3 to..." how about including python2 via a split package then? :P - python packages should have a build function as its building binary artifacts via setup.py and named function is needed in the future to make py packages reproducible - maybe include the examples directory in the docs? xoutputd-git: - VCS package missing provides/conflicts - install mod 655 in bin file, is that on purpose or 755 expected? - makedepends on git missing - you could distribute the LICENSE file as MIT is not a common tmux-resurrect: - must depend on tmux and bash texcount: - no need to unzip it yourself, it works pretty well without prepare and via bsdtar cheers, Levente