On Sun, 2 Jul 2017 03:49:10 -0400, Eli Schwartz via aur-general wrote:

... That is entirely up to the maintainer of said package.

Hi, yes and this shouldn't change. I just want to suggest to be responsible and add a note.

Even if it weren't entirely up to the maintainer to pin comments, who are you proposing should be responsible for determining what packages should come with warnings, and then providing such warnings? And what makes you think people will *see* those warnings for packages that are typically not installed on their own, but as dependencies for something else?

Next!

Apart from the risks mentioned, if you e.g. google for webkit+CVE+linux and similar search terms, we could assume that if a package gets dropped from official Arch repositories and from other distros as well for security reasons, those reasons are high security risks that never or much to seldom get fixed. If upstream is aware of such issues, they usually try to get rid of such a dependency or at least allow to build without webkit or any other high risk vulnerable software, so Arch repositories provide claw-mail without the fancy plugin, provide guitaerix2 compiled without webkit and browsers based upon webkit are removed from the Arch Wiki lists of applications, https://wiki.archlinux.org/index.php/List_of_applications/Internet#WebKit-ba... , even while they still might be available by the AUR, at least xombrero still is. So AUR PKGBUILDs like qtwebkit, webkitgtk and webkitgtk2 are easy to identify as objectively highly risky. If other high risk vulnerable software is provided, it would be easy for the maintainer to identify this software as well. If software, as the mentioned webkit is discussed for more than a year and they e.g. were on an Arch phasing out todo list, before they were completely removed from official repositories, it's not that much a subjective opinion. Ok, using an AUR helper like yaourt would displays the latest comments only, but not pinned comments. With or without an AUR helper, it doesn't harm to care a little bit about comments, as well as pinned comments, instead of building everything without care. Maybe a comment add to the PKGBUILD of high risk vulnerable software could be done, too. Note "Warning: Carefully check all files. Carefully check the PKGBUILD and any .install file for malicious commands." - https://wiki.archlinux.org/index.php/Arch_User_Repository#Build_and_install_... So we could assume that users tend to take a look at the PKGBUILD and would notice a warning. The PKGBUILD even could provide a msg. Messages not necessarily are limited to information such as msg "applying patch-${_pkgver}" it also could provide a warning. Regards, Ralf

On Tue, 4 Jul 2017 13:25:09 +0800, Oon-Ee Ng via aur-general wrote:

This is the primary question here. If it's the maintainer then... what is this email thread even for?

It's about sense of responsibility. As already pointed out, something like the webkit PKGBUILDs are objectively PKGBUILDs with a very serious high security risk. Users might not be aware of it, they might think it's software, that was dropped from official repositories for harmless maintenance issues. For example, a Heartbleed affected SSL is not the same as an discontinued Sudoko game without internet access, even if such a Sudoko game might come with minor security issues, too. Regards, Ralf

On Tue, 4 Jul 2017 14:00:50 +0800, Oon-Ee Ng via aur-general wrote:

You could suggest it on the package's AUR page.

Hi, yes, I could ask to do it for dependent packages such as https://aur.archlinux.org/packages/xombrero/ even while I'm not using it. I could ask to do it for https://aur.archlinux.org/packages/qtwebkit/ , https://aur.archlinux.org/packages/webkitgtk/ / https://aur.archlinux.org/packages/webkitgtk2 even while I'm not using those packages. Some maintainers simply are responsible without somebody mentioning it, e.g. https://aur.archlinux.org/packages/claws-mail-git/, btw. the only related PKGBUILD I'm using myself. Another package maintainer disabld webkit usage, after I informed about the issue and after I get in contact with upstream, who also will fix the issue, https://aur.archlinux.org/packages/guitarix-git/ . I'm not using this package, but install guitarix2 from official repositories.

By sending it to the ML, it looks like you're trying to discuss or push for a general decision.

Actually there could be PKGBUILDs where I'm not aware of the issue, so I can't add a comment, that's why I ask on this list. It should not be enforced by a rule, but maintainers of PKGBUILDs should become a sense of responsibility, so I mentioned it on this list. Regards, Ralf -- Vote for apulse! echo $(w3m https://aur.archlinux.org/packages/apulse |grep 'Votes: ') Votes: 82 Updated: Tue Jul 4 09:32:57 CEST 2017

I want to point out another view from this situation: What if an outdated package is moved to AUR and does not have a new package with the replace=() variable? I personally had this several times and those packages are still kept on the system. This gave me some broken dependencies but also old software was kept on my system. Beside the packages I manually installed from AUR this could be a real security risk. Shouldn't we warn the user when a package from the official repositories move to AUR (or disappear completely)? Not every user checks his system for dropped packages every day, so a warning in pacman would be nice. About the original suggestion for the AUR: I think its worth to have a pinned comment on the AUR page. The package maintainer should add it if an user gives him the hint. If he doesnt accept it a TU should check if the request is valid and pin the users comment. This way we can help all the users. Maintainers unwilling to fix security problems or ignoring/hiding them are not welcome to me. ~Nico