[aur-general] Maintenance issues with metasploit-git package
I'd like to bring the community's attention to the following package: https://aur.archlinux.org/packages/metasploit-git/ It has multiple issues and does not follow pkgbuild guidelines and best practices: 1. The build script appends instructions into user-specific and shell-specific ~/.bash_profile on build time. 2. It dumps everything into /usr/local. This is against the very first point in https://wiki.archlinux.org/index.php/Arch_packaging_standards#Package_etique... 3. The post-install script tells the user to ignore a warning about breakage. It warns about breaking ruby for all other users when the instruction is run with root permissions. I haven't tested this one for obvious reasons. 4. The package appends to $PATH which overshadows the binaries of latest ruby package with those of 1.9 version for the current user (via same instruction as 1.). The current maintainer refuses collaboration. What's the best I can do in a situation like this? - Babken Vardanyan (axper)
On Thu, Aug 21, 2014 at 6:00 PM, <483ken@gmail.com> wrote:
1. The build script appends instructions into user-specific and shell-specific ~/.bash_profile on build time.
That package is really really bad but this point makes it borderline malicious. A package that wants to touch my home directory should be immediately removed IMO.
On 21/08, Massimiliano Torromeo wrote:
On Thu, Aug 21, 2014 at 6:00 PM, <483ken@gmail.com> wrote:
1. The build script appends instructions into user-specific and shell-specific ~/.bash_profile on build time.
That package is really really bad but this point makes it borderline malicious. A package that wants to touch my home directory should be immediately removed IMO.
Not only that, he was told about several problems with the package in the comments but refused to accept that they were problems and told the person who commented on them to "NOT WASTE [HIS] TIME AGAIN".. To be honest it doesn't sound like he's fit to maintain AUR packages. -- Sincerely, Johannes Löthberg PGP Key ID: 3A9D0BB5
On Thu, Aug 21, 2014 at 07:27:30PM +0200, Johannes Löthberg wrote:
On 21/08, Massimiliano Torromeo wrote:
On Thu, Aug 21, 2014 at 6:00 PM, <483ken@gmail.com> wrote: That package is really really bad but this point makes it borderline malicious. A package that wants to touch my home directory should be immediately removed IMO.
Not only that, he was told about several problems with the package in the comments but refused to accept that they were problems and told the person who commented on them to "NOT WASTE [HIS] TIME AGAIN".. To be honest it doesn't sound like he's fit to maintain AUR packages.
Agreed on all the above points. But further, the responses to comments seem borderline abusive. When one maintains a PKGBUILD they can - to an extent - do things however they wish. But the following comment from the maintainer just screams irony: "PLEASE do not comment unless you have spent significant time thinking about what you are going to say or going to ask. " I don't know anything about this package - but the maintainer who offered this advice can be clearly seen in the comments to not have followed his own advice. I don't know whether axper's comments may be right or wrong, but they were continually offered in a tactful and responsible manner. One can do whatever they wish with their own PKGBUILDs, but implicit in having them held on the AUR server is an agreement to interact with the community of Arch Users in a responsible and appropriate manner. This implicit requirement does not seem to be currently being met by the maintainer. -Jesse AKA Trilby on archlinux.org
I forgot to mention - I am not suggesting myself as the maintainer. Instead someone with more experience with ruby and maintaining such broken upstream should take over the maintainance. - Babken Vardanyan (axper) On Thu, Aug 21, 2014 at 8:00 PM, <483ken@gmail.com> wrote:
I'd like to bring the community's attention to the following package: https://aur.archlinux.org/packages/metasploit-git/
It has multiple issues and does not follow pkgbuild guidelines and best practices:
1. The build script appends instructions into user-specific and shell-specific ~/.bash_profile on build time. 2. It dumps everything into /usr/local. This is against the very first point in https://wiki.archlinux.org/index.php/Arch_packaging_standards#Package_etique... 3. The post-install script tells the user to ignore a warning about breakage. It warns about breaking ruby for all other users when the instruction is run with root permissions. I haven't tested this one for obvious reasons. 4. The package appends to $PATH which overshadows the binaries of latest ruby package with those of 1.9 version for the current user (via same instruction as 1.).
The current maintainer refuses collaboration. What's the best I can do in a situation like this?
- Babken Vardanyan (axper)
participants (4)
-
Jesse McClure
-
Johannes Löthberg
-
Massimiliano Torromeo
-