El 12/02/2016 a las 3:28 p. m., William Di Luigi escribió:

Hi

...

Maintainer Det: 105 packages found. Submitter Det: 63 packages found. This doesn't really tell much, to be honest. I only see a very active

On Fri, Feb 12, 2016 at 8:39 PM, Pedro A. López-Valencia wrote: maintainer who generously gives away his/her time (at no charge) to take care of package scripts.

I do the same as well. Don't try to make the argument that "as the arsehole has more packages, he deserves to be in charge". Such policy doesn't work for any community. Meritocracy *must* come in hand with *peer-review*. Else, it is just a broth that breeds conflict and strife.

Also, of course, there was really no reason to disown the package. [Long disquisition about how I rage quit.]

You would do it if you had already been harassed in private for the previous six months, maybe more. I don't recall those details because, who would? That's the kind of thing you simply forget (If you are a Christian, you'll know the application of "turning the other cheek"). I certainly thought at the time I let Vuze go "Fuck it, he can have it and the turd polishig dummy can deal with the psycho." I can only guess David Blair went through a similar experience; may you not be in our shoes.

Oh, come on now, so aren't these ad-hominem attacks?

I am only giving a matter-of-fact relation of my experience. If it makes you cringe... Again: May you not be bullied so. And if you are, may you live interesting times. :-)

...

I let this pass for a long time, but I think it is the right time to ask the TUs *and* the devs to start a productive discussion about creating a code of conduct that allows us, the users contributing to the AUR, the forum and the IRC channels, to have a set of rules to be applied if people is disrespectful to each other in the context of the community. I am completely in favor.

Let's hope so! -- Pedro A. López-Valencia http://about.me/palopezv/ Recession is when a neighbor loses his job. Depression is when you lose yours. -Ronald Reagan

On Fri, 12 Feb 2016 23:11:13 +0100, William Di Luigi wrote:

On Fri, Feb 12, 2016 at 10:37 PM, P. A. López-Valencia wrote:

...

I do the same as well. Don't try to make the argument that "as the arsehole has more packages, he deserves to be in charge".

Nice strawman you got there.

For the record (if you actually misread me and aren't really trying to mislead), I never said that nor I believe that.

Fortunately this user seems to maintain 500+ packages less, assumed the 600+ wasn't a typo: https://lists.archlinux.org/pipermail/aur-general/2016-February/032004.html https://lists.archlinux.org/pipermail/aur-general/2016-February/032006.html Assumed a maintainer should maintain more than 500 packages, a moderator/admin should automatically get informed, who then randomly checks a few packages, e.g. if the source code comes from an upstream server or from a suspect mirror. This should be done not to ensure that the PKGBUILDs are 100% secure, but just to ensure that it really is a single maintainer and not a suspect organisation providing packages.

On Fri, 2016-02-12 at 23:46 +0100, Ralf Mardorf wrote:

On Fri, 12 Feb 2016 23:11:13 +0100, William Di Luigi wrote:

...

On Fri, Feb 12, 2016 at 10:37 PM, P. A. López-Valencia wrote:

...

I do the same as well. Don't try to make the argument that "as the arsehole has more packages, he deserves to be in charge".  

Nice strawman you got there.

For the record (if you actually misread me and aren't really trying to mislead), I never said that nor I believe that.

Fortunately this user seems to maintain 500+ packages less, assumed the 600+ wasn't a typo:

https://lists.archlinux.org/pipermail/aur-general/2016-February/032004 .html https://lists.archlinux.org/pipermail/aur-general/2016-February/032006 .html

Assumed a maintainer should maintain more than 500 packages, a moderator/admin should automatically get informed, who then randomly checks a few packages, e.g. if the source code comes from an upstream server or from a suspect mirror. This should be done not to ensure that the PKGBUILDs are 100% secure, but just to ensure that it really is a single maintainer and not a suspect organisation providing packages.

OTOH a suspect organisation most likely would use several accounts and not just one account ;).

On Fri, 12 Feb 2016 23:22:55 -0500, Mark Weiman wrote:

I don't see anything wrong with maintaining several hundred packages. If someone is willing to and has the time to do it, I say they should be able to without moderation.

Essentially this is my opinion too. Anyway, since this thread came into being by a thread I started and it came out that at least one maintainer seems to suffer from something like a collecting mania and/or control mania and at least two other maintainers felt harassed by this maintainer, there maybe is the need to take a look at maintainers of very much PKGBUILDS. Again, not to ensure that the PKGBUILDS are secure, I hoped that I have already explained good enough that this isn't what I'm thinking of. It might be helpful for the sense of well-being of other maintainers, to at least ensure that there is no suspect organisation acting. I'm not a package maintainer, so "AUR packages are user produced content. Any use of the provided files is at your own risk." is addressed to me and other users and doesn't include the the sense of well-being of maintainers, who feel pressure by other, misbehaving maintainers. As a user I don't know if this is really an issue, or even true.

Hi,

On 13.02.2016, at 11:09, William Di Luigi wrote: It's important to note: this is just the opinion of Ralf and Pedro.

that's a misunderstanding. I don't know if Det has got a problem. Det seems to behave strange regarding impressions from Dave and Pedro, but I don't know an evidence that Det does or does not. What I noticed is that users considered the comments as a discussion and support forum and I don't know how to value Det comments.

I agree with taking a look at packages (I would add a "Flag as compromised/virus" link, which has a similar effect to "Flag package out-of-date").

Less is more...

I believe it would be a good thing to address (with a code of conduct) *the possibility* of having misbehaving maintainers pressuring other maintainers. It's important to note, however, that this "pressuring" hasn't ever happened, until someone proves it happened.

....less is more.... ....I guess we should add a few notes to the guideline Wikis, we even don't need a CoC. Right now I don't have a good idea what exactly to add to the guideline Wikis. Regards, Ralf

El 13/02/2016 a las 9:25 a. m., Ralf Mardorf escribió:

....I guess we should add a few notes to the guideline Wikis, we even don't need a CoC. Right now I don't have a good idea what exactly to add to the guideline Wikis. Regards, Ralf

I agree, we don't need a CoC, but we do need some tools to communicate this kind of toxic behavior to the right people. In private if necessary. -- Pedro A. López-Valencia http://about.me/palopezv/ Recession is when a neighbor loses his job. Depression is when you lose yours. -Ronald Reagan

Hi,

On 13.02.2016, at 15:35, William Di Luigi wrote: Mmm, but you said "at least one maintainer seems to suffer from something like a collecting mania", weren't you referring to Det?

I did, it was an unfortunate choice of words.

The "compromised/virus" flag I'm talking about should be removable only by a TU/dev. This also means that while a wrong out-of-date flag is not a big deal, a wrong compromised flag should yield harder consequences, in order to avoid abuse.

Maybe this isn't needed and asking for unintended wrong usage.

On 13.02.2016, at 18:43, P. A. López-Valencia wrote:

...

El 13/02/2016 a las 9:25 a. m., Ralf Mardorf escribió: ....I guess we should add a few notes to the guideline Wikis, we even don't need a CoC. Right now I don't have a good idea what exactly to add to the guideline Wikis. Regards, Ralf

I agree, we don't need a CoC, but we do need some tools to communicate this kind of toxic behavior to the right people. In private if necessary.

Mediators reachable by email would be good. OT: Regarding what to add to the Wiki and my original thread, I wonder if my claim is correct, even if a package build from AUR suffers from a soname issue, then it's _not_ out of date, since users need to care on their own to rebuild an AUR package, assumed a lib from official repos gets update and the AUR package is build against this lib. I didn't read the current AUR guides and will do it later. Perhaps the guides need a summary, they might be too long.

On 13.02.2016, at 20:49, P. A. López-Valencia wrote:

...

El 13/02/2016 a las 5:09 a. m., William Di Luigi escribió: Again, it's important to note that these other maintainers gave no proof of harassment yet.

WE, Dave Blair and I, BOTH SAID THE HARASSMENT WAS DONE *PRIVATELY*, yet you are asking for public proof?

I guess we shouldn't continue the discussion about this maintainer. Regards, Ralf

El 13/02/2016 a las 3:12 p. m., Connor Behan escribió:

...

WE, Dave Blair and I, BOTH SAID THE HARASSMENT WAS DONE *PRIVATELY*, yet you are asking for public proof? Your sharpness is.... Sheesh! He didn't say that it would be easy for you to establish public proof (that would indeed warrant a "sheesh"). He said that no matter how hard it is to prove harassment, the onus for doing so is on the victim. Which it should be. I'm sure all people in this discussion agree that the bullying you describe is completely unacceptable, but we simply cannot be banning users based on scenarios that are simply one person's word against another's.

What you say is true Connor and your comment is *very constructive*. I simply deleted the emails at the time , because I do not like gloating on bad blood therefore I can't provide that evidence anymore; but be assured it built up for at least 6 months before I finally threw the towel in disgust. I had to play whack-a-mole with the guy blocking accounts from where he would send me personal insults and attacks. As long as we have your attention. Can you bring the matter in the private lists? There is a real need for some sort of reporting channel that is not a project in Flyspray but more private. And as Ralf Mardorf already said, a CoC is not needed. I frankly believe a CoC would be completely counterproductive.

No comment.

He! I apologize for the tone, but I can't help being Zen when the student needs a whacking. -- Pedro A. López-Valencia http://about.me/palopezv/ Recession is when a neighbor loses his job. Depression is when you lose yours. -Ronald Reagan

On 13/02/16 04:12 PM, P. A. López-Valencia wrote:

El 13/02/2016 a las 3:12 p. m., Connor Behan escribió:

...

...

WE, Dave Blair and I, BOTH SAID THE HARASSMENT WAS DONE *PRIVATELY*, yet you are asking for public proof? Your sharpness is.... Sheesh! He didn't say that it would be easy for you to establish public proof (that would indeed warrant a "sheesh"). He said that no matter how hard it is to prove harassment, the onus for doing so is on the victim. Which it should be. I'm sure all people in this discussion agree that the bullying you describe is completely unacceptable, but we simply cannot be banning users based on scenarios that are simply one person's word against another's. What you say is true Connor and your comment is *very constructive*. I simply deleted the emails at the time , because I do not like gloating on bad blood therefore I can't provide that evidence anymore; but be assured it built up for at least 6 months before I finally threw the towel in disgust. I had to play whack-a-mole with the guy blocking accounts from where he would send me personal insults and attacks.

As long as we have your attention. Can you bring the matter in the private lists? There is a real need for some sort of reporting channel that is not a project in Flyspray but more private. And as Ralf Mardorf already said, a CoC is not needed. I frankly believe a CoC would be completely counterproductive. Thanks.

I asked about this in #archlinux-tu and the one reply so far said it would be best to start things off with a request to aur-general which doesn't name names. The first TU to see it could then follow up off-list and learn the details. If that's uncomfortable for some, maybe just pick an email from the TU list [1] to contact. Of the "active" TUs, some are more active than others and a look through the mailing list archives can help narrow it down. [1] https://wiki.archlinux.org/index.php/Trusted_Users