Hello, I was looking at the AUR today and I have realised a ton of packages with the prefix r-<package name> being updated within a minute of each other, and then found the user to be publishing them: https://aur.archlinux.org/account/BioArchLinuxBot By the name it seems this is a Bot, Anthraxx and Jelle have already discussed how this is not acceptable in a previous thread, see: https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/me... https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/me... A draft has also been submitted on the ArchWiki to set this into stone: https://wiki.archlinux.org/title/Talk:AUR_submission_guidelines#Automation_a... Therefore I am bringing this user, and the packages which this has occurred on to the TUs here. I have also attached an image to this email which is a screenshot of the recently updated packages, you can use the rss feeds to back this up as well, it clearly shows that a large number of r packages were updated BY THE SAME USER within the span of 10 minutes. Let me know what you think :) Have a good day, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev
What are you, a cop? Did this break anything, or what's the specific issue here besides the implication of automation being used? On Sat, Jun 3, 2023, 10:13 Polarian <polarian@polarian.dev> wrote:
Hello,
I was looking at the AUR today and I have realised a ton of packages with the prefix r-<package name> being updated within a minute of each other, and then found the user to be publishing them:
https://aur.archlinux.org/account/BioArchLinuxBot
By the name it seems this is a Bot, Anthraxx and Jelle have already discussed how this is not acceptable in a previous thread, see:
https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/me...
https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/me...
A draft has also been submitted on the ArchWiki to set this into stone:
https://wiki.archlinux.org/title/Talk:AUR_submission_guidelines#Automation_a...
Therefore I am bringing this user, and the packages which this has occurred on to the TUs here. I have also attached an image to this email which is a screenshot of the recently updated packages, you can use the rss feeds to back this up as well, it clearly shows that a large number of r packages were updated BY THE SAME USER within the span of 10 minutes.
Let me know what you think :)
Have a good day, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev
Hey friends, On Sat, 3 Jun 2023 10:19:23 -0400 Tom Swartz <tom@tswartz.net> wrote:
Did this break anything, or what's the specific issue here besides the implication of automation being used?
all of the information was provided in the original message by Polarian. basically boils down to that a packager should test packages before uploading them, this timeframe raises some suspicions if that has happened in this case. They could have tested all first and then automated the remote push. cheers, noodle
I am able to update many packages in one minute too. I just do my changes in all XX packages and simply select all repositories I want to push with one click (I am using a simple GUI tool for git operations like that). So am I a bot too?! On the other hand I do not get why all are against automation.. claiming its evil and that's it. it is clear that it makes no sense to just automate and think everything will go right though! automation can help in making reliable software though and to be honest software developers can't live without CI/CD and for sure not without automation tests these days. Modern development requires to pass tests for shell scripts, python code etc before it will be published. The mentioned post from the previous discussion is referring to something where the package might build but does not have any content or is unusable for any reason. nothing(!) prevents that this happens other then by manual testing Regardless if it was pushed automatically or manually you can't be safe the committer has tested it correctly before. I don't think that automation is a no go for the AUR but we would need guidelines for automation and ideally for tests / checks instead. I personally would go even further and would require that before you can upload something to the AUR that you need to pass syntax checks for code and general requirements for the package itself. Just my 5ct Thomas
I am able to update many packages in one minute too.
I just do my changes in all XX packages and simply select all repositories I want to push with one click (I am using a simple GUI tool for git operations like that).
So am I a bot too?!
The user in question has the word "Bot" in the name. I don't think there's a question of whether this is a bot or not. There's a real lack of accountability in allowing a script to push the packages you are maintaining to the AUR. In that case, you are not the one maintaining the package, your script is. It's not that I wasn't giving due diligence to the thing I said I would do, The script was lazy.
Ok, Let me respond to all of you in a single email to prevent any more noise. This was simply me bring it to the attention of the arch staff, that the ruling made in one thread is not representative of the AUR in the current state, in no way was I saying this had to be fixed, it was literally me bring it up as a question on whether this is permitted or not. Tom:
What are you, a cop?
I don't appreciate you putting me down, arch stands as a community where everyone gets a say. What am I? I am one of the many contributors which have attempted to help out, and was simply bringing something I found interesting to the attention of the community, I didn't expect to be insulted in return.
Did this break anything, or what's the specific issue here besides the implication of automation being used?
I never said there was an issue, if you look at the subject you will see a '?' indicating it was a question, I was bringing something I noticed up to the community, I don't think I need to explain myself for this. The implications of automatic pushes to the AUR is that Anthraxx has expressed that it is prohibited, and the AUR already has rules which could be seen as abusive such as: - Do not have multiple arch accounts So someone is holding a second account with the suffix "Bot" and my question was is this prohibited or not? TL;DR I was asking clarification, and I do not think I communicated this poorly because noodle understood the intent, along with Matthew. I sent that email over a month ago, so it is not fresh in my memory, maybe I did poorly communicate, but I trust that I didn't based on the other responses I had today. Also I would like to point out Tom that this was sent a month ago, which means its pretty far back in your email history, it does feel like your only intent here was to insult me, because you did not give any helpful feedback, if you aren't interested in the discussion simply don't respond to the thread, its that simple. noodle:
basically boils down to that a packager should test packages before uploading them, this timeframe raises some suspicions if that has happened in this case. They could have tested all first and then automated the remote push.
I do believe the packages are well kept, I took a look at the github repository provided by bioarchlinux, and it does seem like there is a lot of care put into their packages, but my point wasn't that the packages were of a poor quality, but more the fact that it is a bot account, and that its a second account where we are not meant to have more than 1 arch account, so my main point was simply "is this allowed?".
I am able to update many packages in one minute too.
Sure, you can bump quite a few versions in a minute, but have you tested them? have you build them in a clean chroot? have you checked the patch notes? have you spoken with upstream about potential issues? has the licences changed? is there new dependencies? All of that takes a lot more than a couple of minutes, it is a chore to update packages sometimes, and if you rush it you will end up missing dependencies, or not fully testing it and breaking something. You are not allowed to revert commits to the AUR unless they disclose personal information (such as signing it with a confidential email etc), so when you push that commit are you 100% sure that it builds on any arch system, that it works? if not then you shouldn't push it, that is why many people have a second repository which they use to prototype, for example I have one on my git: https://git.polarian.dev/AUR pick a package such as google-cloud-cli: https://git.polarian.dev/AUR/google-cloud-cli and then check the pull requests: https://git.polarian.dev/AUR/google-cloud-cli/pulls I only accept that PR if I am 100% certain that the package works, and then pull the changes down to my laptop before pushing them to the aur from my laptop (notice I do not use a bot to push the commits, I use my device and manually do it). Sure my method might be a lot more time consuming, I also do not use the dev scripts and do chroot builds manually because I prefer it that way, it fits my workflow better in other words. So sure, update packages aimlessly, but when people start complaining about how they are poorly kept, that is your problem.
I just do my changes in all XX packages and simply select all repositories I want to push with one click (I am using a simple GUI tool for git operations like that).
So am I a bot too?!
No, that does not make you a bot, but it does raise suspicion. Why do you wait until you have updated every package before pushing it, it makes no sense. It can take me a good 3-4 hours to update 5-6 packages, depending on what I need to do and how complex the version bump is, and how much of the package I have to change. So if you push changes for lets say 20 packages all at once, that is a lot of time, and you don't push once? despite it being finished and ready for people to pull? I am sorry but it seems you are making excuses to discredit me.
On the other hand I do not get why all are against automation.. claiming its evil and that's it.
Nobody here has said automation is bad, but automation can not replace the packager. Reposilite was a package I used to co-maintain (and now I am maintainer) and the maintainer used automation, they had a cron job running a script which checked upstream for updates, autobumped the package, even tested it in a clean chroot before submitting a Pull request, I would like to double check it builds in a chroot manually (I need the package to deploy to my repository anyways, so it wasn't a waste of time) and then test it works and also namcap it to see if namcap throws anything. Automation can be useful, but a reposilite update would still take some of my time while I made sure it worked, I also checked for verbose errors in the build process, reporting warnings to upstream. You aren't thinking of anything new, there are people who setup CI/CD jobs and then don't touch the package for a year and let CI/CD do it all thinking that they have found some sort of life hack to maintain packages, which is not the case.
it is clear that it makes no sense to just automate and think everything will go right though!
Well at least you can agree on that.
automation can help in making reliable software though and to be honest software developers can't live without CI/CD and for sure not without automation tests these days. Modern development requires to pass tests for shell scripts, python code etc before it will be published.
I have always thought CI/CD is overrated, people rely on it too much, I am more than able to run tests, and verify the software is working. Sure I have never worked on a huge codebase, but I do not see the big need for CI/CD, it seems to be an industry which rakes in millions in profit, just out the laziness of developers. It seems more like a corporate toy, than a necessity for development in my opinion, a way to cut corners, hell some codebases merge patches into master as soon as it passes CI/CD, no human intervention required. I am not saying its worthless, but it is severely overused.
I personally would go even further and would require that before you can upload something to the AUR that you need to pass syntax checks for code and general requirements for the package itself.
The AUR has guidelines, not strict rules, this has pros and cons, its flexible for non-conforming software which are difficult to package, but it is also allows people to be lazy or name packages differently. At the end of the day, whatever a package maintainer (TU) rules on is what the rule is, you are always free to object and a lot of the time a package maintainer (TU) is very understanding and will try to find a compromise. Matthew:
The user in question has the word "Bot" in the name. I don't think there's a question of whether this is a bot or not.
Ok I will admit it is a little bit of a stupid question on my part asking whether someone with "Bot" in the name is a bot, but its better never to make an accusation unless you are 100% sure.
There's a real lack of accountability in allowing a script to push the packages you are maintaining to the AUR. In that case, you are not the one maintaining the package, your script is. It's not that I wasn't giving due diligence to the thing I said I would do, The script was lazy.
There is a reason we are meant to push changes under our username, it makes us accountable to any breakages which occur, which is a good thing and a bad thing. Its bad cause you will probably get embarrassed from a stupid mistake, but it is good because people are able to know who made the mistake and know exactly who to contact. There is a reason we stick our names/usernames and email at the top of PKGBUILDs, because it makes us accountable for the maintenance of the package. So it makes complete sense that a Bot breaks these normal guidelines. Manfred:
please let me introduce here first as I am new to this list/community.
My name is Manfred Hollstein, being located in Germany and a Linux user since end of 1991. I have used Debian, Red Hat, SUSE Linux distributions since 1994 (10 pack floppy disk pack of SLS before than...) - had to use Ubuntu at my last job.
I worked with Cygnus Solutions, Red Hat, SUSE and finished my active professional career at Deutsche Telekom where I helped to build their open Cloud offerings. My technical background goes back to compiler construction (still listed as a GCC maintainer), which got widely extended to OS, Virtualization, Cloud, HPC and HA technologies over the various jobs I was active in.
Nice to meet you, you sure do have a lot more experience than I do :P Welcome to the mailing list :)
Packages named like r-<package name> indicates to me that they belong to the "R project for statistical computing". I have seen similar waves in openSUSE when the maintainers flooded OBS with new releases/updates. So I doubt this is anything bad.
I am aware of the prefixing rules, that was not the intention of the thread, the general rule for libraries is: <programming language>-<library name> so there is python- r- nodejs- etc etc
Again, I doubt this is something like an attack. There are many utilities to help automating processes (think of CI-CD), which may result in such situations.
I am aware it isn't an attack, but the latter assumption you made was the issue. CI/CD is, to the best of my knowledge, never meant to push to the AUR directly, it should always be done by an individual manually, I am sure a package maintainer (TU) can correct me if I am wrong, but that is what I take from the guidelines mixed in with the mailing list I linked in my original email.
I hope I have been able to help with this regard, and I also hope that I may become a member of the Arch community!
You already are a member by being here, there is no obligation to contribute to be a part of the community (although contributions are always welcome). I hope I have addressed everyones responses, let me know if I have missed something and you wanted a response to it. I kindly ask those who plan to reply in an aggressive manor to either trash the email before sending it, or make sure it conforms to the community guidelines, this thread was not meant to kick up an argument about CI/CD again but simply point out something I found suspicious. Have a good day, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev
Hi Polarian, On Sat, 03 Jun 2023, 18:36:04 +0200, Polarian wrote:
[...] Nice to meet you, you sure do have a lot more experience than I do :P
Welcome to the mailing list :)
Thanks for the welcome!
[...]
Again, I doubt this is something like an attack. There are many utilities to help automating processes (think of CI-CD), which may result in such situations.
I am aware it isn't an attack, but the latter assumption you made was the issue. CI/CD is, to the best of my knowledge, never meant to push to the AUR directly, it should always be done by an individual manually, I am sure a package maintainer (TU) can correct me if I am wrong, but that is what I take from the guidelines mixed in with the mailing list I linked in my original email.
Although I'm not completely familiar with the rules how to push packages/updates to the AUR, I completely agree with you that not each push to a Git repo with a CI/CD behind (or whatever) should be able to push everything to the AUR directly. I'd assume it is a matter of common sense to establish several CI/CD instances, such as new, built, tested, verified, and released, while only the output from "released" should go to AUR to be consumable by every user. Cheers. l8er manfred
Hi there, please let me introduce here first as I am new to this list/community. My name is Manfred Hollstein, being located in Germany and a Linux user since end of 1991. I have used Debian, Red Hat, SUSE Linux distributions since 1994 (10 pack floppy disk pack of SLS before than...) - had to use Ubuntu at my last job. I worked with Cygnus Solutions, Red Hat, SUSE and finished my active professional career at Deutsche Telekom where I helped to build their open Cloud offerings. My technical background goes back to compiler construction (still listed as a GCC maintainer), which got widely extended to OS, Virtualization, Cloud, HPC and HA technologies over the various jobs I was active in. I am now on the passive phase of my last job allowing me to do the stuff I always wanted to do ;) Getting now to the initial issue... On Thu, 27 Apr 2023, 18:16:06 +0200, Polarian wrote:
Hello,
I was looking at the AUR today and I have realised a ton of packages with the prefix r-<package name> being updated within a minute of each other, and then found the user to be publishing them:
Packages named like r-<package name> indicates to me that they belong to the "R project for statistical computing". I have seen similar waves in openSUSE when the maintainers flooded OBS with new releases/updates. So I doubt this is anything bad.
https://aur.archlinux.org/account/BioArchLinuxBot
By the name it seems this is a Bot, Anthraxx and Jelle have already discussed how this is not acceptable in a previous thread, see:
https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/me...
https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/me...
A draft has also been submitted on the ArchWiki to set this into stone:
https://wiki.archlinux.org/title/Talk:AUR_submission_guidelines#Automation_a...
Therefore I am bringing this user, and the packages which this has occurred on to the TUs here. I have also attached an image to this email which is a screenshot of the recently updated packages, you can use the rss feeds to back this up as well, it clearly shows that a large number of r packages were updated BY THE SAME USER within the span of 10 minutes.
Let me know what you think :)
Again, I doubt this is something like an attack. There are many utilities to help automating processes (think of CI-CD), which may result in such situations. I hope I have been able to help with this regard, and I also hope that I may become a member of the Arch community!
Have a good day,
Cheers. l8er manfred
participants (6)
-
Manfred Hollstein
-
Matthew Sexton
-
noodle
-
Polarian
-
Thomas
-
Tom Swartz