davinci-resolve no longer downloads the upstream package; was this actually an AUR rules violation?
Hello all, this issue has been on my mind for a while, but I haven’t bothered to write to the mailing list about it until now. Before Muflone took over maintainership of the davinci-resolve packages (including davinci-resolve-studio and davinci-resolve-beta), the PKGBUILD would automatically download the upstream package from Blackmagic’s website. While Resolve is proprietary, the non-Studio version (and the beta) are freely available, requiring not even a proper login with the vendor. The download link on the website (https://www.blackmagicdesign.com/products/davinciresolve ) is behind a “registration” form, but this does not create a user account and to the best external knowledge, the data entered here is never verified in any way. Therefore, previous versions of the AUR package either used a download link obtained by the maintainer after filling out the form with arbitrary data, or replayed the form submission with fixed data during prepare(), obtaining a new download link for the user. Either way, the package contents are obviously always identical (regular hashing applied). The same is true for packages retrieved through the support center (https://www.blackmagicdesign.com/support/family/davinci-resolve-and-fusion ), where in fact the Studio version (which requires a paid license) does not require the submission of a form at all. However, Muflone changed this behavior to instead require a locally-downloaded version of the upstream package in all three cases. The user reception for this was mixed, additionally caused by the issue that AUR helpers need the upstream package file located in special cache directories and not the current working directory. Personally, I am strongly opposed to this change, but Muflone has deflected criticism by pointing out that “Packages must not contain black magic or unknown/hard to understand commands as users are required to check the PKGBUILDs before installing/updating from AUR” (https://aur.archlinux.org/packages/davinci-resolve?O=60#comment-1013733 ). While I agree in spirit, I disagree in this specific case. There are multiple easy ways of obtaining the package that have been known for some time; a review of the package commit history confirms this. On the contrary, some of the changes required to make more technical aspects of the package work properly will not be easy to understand for users at times. Furthermore, a careful review of the AUR rules reveals to me that this kind of direct download is perfectly allowed, since in my opinion it doesn’t circumvent any real technical measures by the upstream provider; see elaboration above: form contents are not checked by the Blackmagic website, and sometimes skippable altogether. I’m writing to the mailing list to gain clarification on the matter: whether the manual download is actually more compliant with AUR rules than what was happening previously (before commit 7351177b553aa3983163450822bf251ec7f7ab75), and whether the previous approach was even in violation. If not, I’m not sure—if it’s possible that the AUR maintainers can urge Muflone to change it back, that would be excellent, but I don’t remember the AUR working that way. Blocking Muflone and/or orphaning the package is also not a reasonable approach, unless there is someone to step up to maintainership for the package (unfortunately not me, as I don’t use Resolve frequently enough, and often need to stay on older versions due to bugs frequently introduced in new releases). I hope I’m not overstepping any lines with this request, but as a user of the package it is very annoying when a (new) maintainer degrades the user experience for unclear/nebulous “rules compliance” and refuses to engage in discussions about it. This is also the reason I am writing here in the first place, I want to make it clear that I did of course try to discuss this on the package comment page first; over a year ago in fact. I also finally want to make it clear that this is not about piracy of the Studio version in any way shape or form; while the package download for it is still freely available from Blackmagic, it’s less important to change the PKGBUILD as the software isn’t free in the first place. Greetings, kleines Filmröllchen
Am 19. März 2026 22:39:48 MEZ schrieb "kleines Filmröllchen" <kleines@filmroellchen.eu>:
Hello all,
this issue has been on my mind for a while, but I haven’t bothered to write to the mailing list about it until now.
Before Muflone took over maintainership of the davinci-resolve packages (including davinci-resolve-studio and davinci-resolve-beta), the PKGBUILD would automatically download the upstream package from Blackmagic’s website. While Resolve is proprietary, the non-Studio version (and the beta) are freely available, requiring not even a proper login with the vendor. The download link on the website (https://www.blackmagicdesign.com/products/davinciresolve ) is behind a “registration” form, but this does not create a user account and to the best external knowledge, the data entered here is never verified in any way. Therefore, previous versions of the AUR package either used a download link obtained by the maintainer after filling out the form with arbitrary data, or replayed the form submission with fixed data during prepare(), obtaining a new download link for the user. Either way, the package contents are obviously always identical (regular hashing applied). The same is true for packages retrieved through the support center (https://www.blackmagicdesign.com/support/family/davinci-resolve-and-fusion ), where in fact the Studio version (which requires a paid license) does not require the submission of a form at all.
However, Muflone changed this behavior to instead require a locally-downloaded version of the upstream package in all three cases. The user reception for this was mixed, additionally caused by the issue that AUR helpers need the upstream package file located in special cache directories and not the current working directory. Personally, I am strongly opposed to this change, but Muflone has deflected criticism by pointing out that “Packages must not contain black magic or unknown/hard to understand commands as users are required to check the PKGBUILDs before installing/updating from AUR” (https://aur.archlinux.org/packages/davinci-resolve?O=60#comment-1013733 ).
While I agree in spirit, I disagree in this specific case. There are multiple easy ways of obtaining the package that have been known for some time; a review of the package commit history confirms this. On the contrary, some of the changes required to make more technical aspects of the package work properly will not be easy to understand for users at times. Furthermore, a careful review of the AUR rules reveals to me that this kind of direct download is perfectly allowed, since in my opinion it doesn’t circumvent any real technical measures by the upstream provider; see elaboration above: form contents are not checked by the Blackmagic website, and sometimes skippable altogether.
I’m writing to the mailing list to gain clarification on the matter: whether the manual download is actually more compliant with AUR rules than what was happening previously (before commit 7351177b553aa3983163450822bf251ec7f7ab75), and whether the previous approach was even in violation. If not, I’m not sure—if it’s possible that the AUR maintainers can urge Muflone to change it back, that would be excellent, but I don’t remember the AUR working that way. Blocking Muflone and/or orphaning the package is also not a reasonable approach, unless there is someone to step up to maintainership for the package (unfortunately not me, as I don’t use Resolve frequently enough, and often need to stay on older versions due to bugs frequently introduced in new releases).
I hope I’m not overstepping any lines with this request, but as a user of the package it is very annoying when a (new) maintainer degrades the user experience for unclear/nebulous “rules compliance” and refuses to engage in discussions about it. This is also the reason I am writing here in the first place, I want to make it clear that I did of course try to discuss this on the package comment page first; over a year ago in fact. I also finally want to make it clear that this is not about piracy of the Studio version in any way shape or form; while the package download for it is still freely available from Blackmagic, it’s less important to change the PKGBUILD as the software isn’t free in the first place.
Greetings,
kleines Filmröllchen
Hello, While I don't want to invalid your argumentation with the following and I don't have a strong on the matter itself (although I would lean more to current setup as it doesn't work around something upstream has set in place for whatever reasons) but after reading this I want to point one thing out. The person in question isn't some random PKGBUILD maintainer who decided on a whim to change something to the inconvenience of the users. Muflone is part of the (wider) Arch team and a very active AUR moderator. So I am sure there went some thought and considerations into the change. And in general everyone can revert the change locally. Nobody is bound to do what the PKGBUILD on the aurweb does. Best regards
Hello, quoting and replying to everyone’s responses in no particular order (the mailing list thread disappeared in my client, so I can’t properly reply):
While I appreciate that you pointed out that workarounds for Davinci Resolve exist and/or have been used in the past, downloading the files primary through Support Centers etc. is likely unintended behavior and could throw a bad light at the AUR or Arch, or degrade the service the Support Center could provide for other users in the future.
The download procedure through the support center and through the main page is identical. The form is always required for the free version, and always optional for the paid one. The support center provides access to older versions of the software (and other, auxiliary software, like Fusion standalone or the control panel setup tooling). I’m certain that Blackmagic doesn’t mind people using it; as I stated before my primary reason for going there is acquiring older, more bug-free software versions
I think there is an argument to be made that davinci-resolve is unpackageable under a strict interpretation of the AUR guidelines. I'm not averse to the old implementation of the package, though, because it was still a package.
One thing I could maybe see being done here is approaching Blackmagic Design directly in a diplomatic manner to find a solution to optimizing this, but since the primary goal of Blackmagic Design seems to be the identification of it's users, I am not optimistic about how and if we had could come to compromise there
It’s unclear to me whether Blackmagic actually wants to identify users of the free version. Otherwise, they would verify the email address you enter, force you to login, etc. It’s not exactly related to the topic of this thread (but others have gone off the topic too, tough luck), but Blackmagic’s market strategy with Resolve seems to be to get users to use their free software that works wonderfully with their expensive hardware, so they later go on buying their expensive hardware. (At least for me this worked, if I was financially able to I would definitely consider buying some of their hardware.) Either way, I do understand the concerns with violating Blackmagic’s TOS and license agreements, but I haven’t read them, so I cannot tell you.
And in general everyone can revert the change locally. Nobody is bound to do what the PKGBUILD on the aurweb does.
I was doing this for some time, but it’s effectively more effort (especially when trying to keep up with fixes to the upstream PKGBUILD) than downloading the package manually from Blackmagic’s website in the first place. Best regards
Hi all, Am 19. März 2026 22:40:49 schrieb kleines Filmröllchen <kleines@filmroellchen.eu>:
The download link on the website (https://www.blackmagicdesign.com/products/davinciresolve ) is behind a “registration” form, but this does not create a user account and to the best external knowledge, the data entered here is never verified in any way.
I would like to add that the registration form for davinci-resolve-studio has a "download only" button for skipping the form altogether. The regular "davinci-resolve" download however does not. Cheers, Gamy
Hey, This package is maintained by an Arch Developer, end of story. Take care, -- Polarian Jabber/XMPP: polarian@icebound.dev
On Thu, 19 Mar 2026 23:21:40 +0000 Polarian <polarian@polarian.dev> wrote:
This package is maintained by an Arch Developer, end of story.
That's a very strange reasoning. I think there's a confusion here between a factual argument and an authoritative one. -- Marek Küthe m.k@mk16.de er/ihm he/him
Hey, Let me put it more clearly then, Muflone is the main staff member who moderates the AUR, I can assure you they know the rules inside out. They have already explained their reasoning for the change. [1] There is literally nothing to discuss here, other than "I disagree with the change". If you have an issue with it you should probably bring it up with Muflone, not subject an entire mailing list to your personal preferences. In any case, this is not a hill worth dying on. You have an extra step which is clearly documented [2]. If you want to take your anger out on someone, maybe take it out on Black Magic Design which forced this change, Muflone has already concluded this a year ago [3], you are blaming the wrong person here. There is no stable URL to download the sources from and forcing people to run ambiguous scripts is a security threat, malicious PKGBUILD's have happened before, therefore you must always review what you are building which, as Muflone has pointed out, can not be done if there is a hacky workaround which is not possible for the average user to review. I am aware that davinci is much more advanced than a lot of the open source competition but if it is such a big deal, maybe give some open source alternatives a go, ones which actually give you both software freedom, and can be properly packaged and distributed, without upstream causing any issues, unlike resolve. Thank you, -- Polarian Jabber/XMPP: polarian@icebound.dev [1] https://aur.archlinux.org/packages/davinci-resolve?O=60#comment-1013733 [2] https://wiki.archlinux.org/title/DaVinci_Resolve [3] https://aur.archlinux.org/packages/davinci-resolve?O=60#comment-1009644
On March 19, 2026 8:47:02 PM MDT, Polarian <polarian@polarian.dev> wrote:
Hey,
Let me put it more clearly then, Muflone is the main staff member who moderates the AUR, I can assure you they know the rules inside out.
They have already explained their reasoning for the change. [1]
There is literally nothing to discuss here, other than "I disagree with the change". If you have an issue with it you should probably bring it up with Muflone, not subject an entire mailing list to your personal preferences.
As another staff member who moderates the AUR (though not as often as Fabio), discussion of changes is fair game for this mailing list.
In any case, this is not a hill worth dying on. You have an extra step which is clearly documented [2]. If you want to take your anger out on someone, maybe take it out on Black Magic Design which forced this change, Muflone has already concluded this a year ago [3], you are blaming the wrong person here. There is no stable URL to download the sources from and forcing people to run ambiguous scripts is a security threat, malicious PKGBUILD's have happened before, therefore you must always review what you are building which, as Muflone has pointed out, can not be done if there is a hacky workaround which is not possible for the average user to review.
You're coming at this from a much more aggressive position than the OP. There's no indication that OP intends to die on this hill—they simply want to discuss the change and whether it could potentially be revisited. I don't see anything wrong with that given the way they've presented their arguments. The worst we can say is that we won't change it back.
I am aware that davinci is much more advanced than a lot of the open source competition but if it is such a big deal, maybe give some open source alternatives a go, ones which actually give you both software freedom, and can be properly packaged and distributed, without upstream causing any issues, unlike resolve.
A fair point, but as you've admitted, Resolve is much more advanced than the likes of Shotcut, Kdenlive, etc. If you want a professional video editor the likes of Premiere or Sony Vegas on Linux, you need Resolve. That's not to knock the FOSS competition in any way, it's just reality.
Thank you,
Polarian, I'd like to remind you—as I know others have in the past—you are not an AUR moderator. You've engaged in what's called "armchair moderation" here, where someone with no power to enforce rules attempts to do so anyway. If you're going to engage in this discussion—and you should feel free to do so—please do so constructively and without speaking for the Arch staff members that are fully capable of speaking for themselves. Thank you, Campbell Jones / serebit
I'll just throw in my 2 cents.
A package is an archive containing: all of the (compiled) files of an application metadata about the application, such as application name, version, dependencies, etc. installation files and directives for pacman
[https://wiki.archlinux.org/title/Pacman#Installing_packages] Obviously this does not apply to AUR packages in the same way, because the source files are usually stored in an external repository. However, for the user, the installation flow is the exact same as if the package contained the source files. To expect the user to download the actual file is too far; what you have then is not a package, but an installation script. I think there is an argument to be made that davinci-resolve is unpackageable under a strict interpretation of the AUR guidelines. I'm not averse to the old implementation of the package, though, because it was still a package. Also, can we please have plaintext emails? Sam
El vie, 20-03-2026 a las 22:18 +1100, Sam K escribió:
I'll just throw in my 2 cents.
I'll do the same ;-) I see that there’s a discussion about which option is better or worse for the PKGBUILD, but no one is addressing the root of the problem: the fact that Blackmagic Design doesn’t provide a direct download URL for the package. Therefore, strictly speaking, according to AUR guidelines, the package shouldn’t be available in any other form. What I would suggest is that someone with “clout” in the Arch Linux community (at least someone with an `@archlinux.org` email address) get in touch with Blackmagic Design and explain the situation: “Hey, I want to package your software without it costing you any effort, and as a bonus, you’ll get new users (who knows, maybe they’ll end up buying the PRO version later), and all I need for that is for you to give me a direct link (which you can also track to see how many Arch Linux users you have)" We tend to think of companies as unapproachable entities, but if you explain things politely, many doors will open. This is, of course, just a suggestion. Greetings. -- Óscar García Amor | ogarcia at moire.org | http://ogarcia.me
I'm going to retract what I said earlier about the old package design being acceptable. We should not try and circumvent intentional Blackmagic design, whether it's technically permitted by the TOS or not.
Therefore, strictly speaking, according to AUR guidelines, the package shouldn’t be available in any other form.
I agree. To be honest, I don't see that the package is currently adding enough utility beyond a manual installation to warrant being a package in the first place.
Having to locally download files shouldn't be breaking behavior for a user when using AUR Packages as best practice expects the user to confront themselves with the content of the PKGBUILD anyway. This includes to take notice of additional requirements such as the file that is locally required. One can expect so much effort to put in by the user.
Well, the AUR package is still supposed to be a package right? I feel like the fact that users should read a pkgbuild isn't an excuse to insert additional friction into the package. AUR packages are supposed to have some utility, otherwise they wouldn't exist.
What I would suggest is that someone with “clout” in the Arch Linux community (at least someone with an `@archlinux.org` email address) get in touch with Blackmagic Design and explain the situation
+1. Alternately maybe it can be Muflone who writes the email, but in general I think this is a good idea. Sam
Hello
Having to locally download files shouldn't be breaking behavior for a user when using AUR Packages as best practice expects the user to confront themselves with the content of the PKGBUILD anyway. This includes to take notice of additional requirements such as the file that is locally required. One can expect so much effort to put in by the user. Well, the AUR package is still supposed to be a package right? I feel like the fact that users should read a pkgbuild isn't an excuse to insert additional friction into the package. AUR packages are supposed to have some utility, otherwise they wouldn't exist.
The main difference between running the installer from Blackmagic website is pacman will be able to track the files in your system, including, but not only, updating the versions and remove the package in the case is not needed anymore. However, using the package from AUR is not a strict requirement. If so many people have been complaining for a year about the removal of direct downloads from the Blackmagic website, they should seriously consider other alternatives. Sufficient reasons and explanations have been provided, and this thread has added nothing more than what has already been written over the past year. I’ve already provided far too many explanations (and endured far too many insults) regarding this package, and I won’t offer any further arguments about this topic.
What I would suggest is that someone with “clout” in the Arch Linux community (at least someone with an `@archlinux.org` email address) get in touch with Blackmagic Design and explain the situation +1. Alternately maybe it can be Muflone who writes the email, but in general I think this is a good idea.
AUR is not officially supported by Arch Linux, and no packages on AUR can be sponsored by Arch Linux or are part of the Arch Linux project. Since I do not intend to move DaVinci Resolve and DaVinci Resolve Studio packages to the official Arch Linux repositories, I will not be sending any official requests to Blackmagic, either via my @archlinux.org email address or my personal email addresses. Best regards -- Muflone
El sáb, 21-03-2026 a las 20:42 +0100, Muflone escribió:
AUR is not officially supported by Arch Linux, and no packages on AUR can be sponsored by Arch Linux or are part of the Arch Linux project. Since I do not intend to move DaVinci Resolve and DaVinci Resolve Studio packages to the official Arch Linux repositories, I will not be sending any official requests to Blackmagic, either via my @archlinux.org email address or my personal email addresses.
But you can explain exactly what you just mentioned, Muflone: I’d like to package your software in the AUR. The AUR is this (and you explain what it is), and the reason I can’t get the package into official repositories is the one you mentioned. What do you have to lose by trying? You’ve already heard “no,” but maybe you’ll succeed. I myself have contacted developers of various projects in the past to see if they could tweak something just a little so I could easily get it into the AUR, and they’ve all been grateful to me for it. Greetings. -- Óscar García Amor | ogarcia at moire.org | http://ogarcia.me
Hello, I can see the inconvenience of requiring manual steps for a PKGBUILD, but I feel like that it is probably the right thing to do in this situation. One would probably want to avoid further issues with Blackmagic Design down the road. An healthy amount of precaution can't hurt and the practice of requiring files to provided locally doesn't seem uncommon for the AUR as well. I have gone through a similar situation when adopting packages for Oracle GraalVM Enterprise Edition lately. LTS Releases require users to register an account and agree to additional License Agreements on download. Workarounds for getting those files existed and were used by AUR Package Maintainers and others for a while until eventually closed and there being actual conflicts being Package Maintainers and Oracle that caused the Maintainers to orphan their packages. While I appreciate that you pointed out that workarounds for Davinci Resolve exist and/or have been used in the past, downloading the files primary through Support Centers etc. is likely unintended behavior and could throw a bad light at the AUR or Arch, or degrade the service the Support Center could provide for other users in the future. Blackmagic Design has probably legitimate interest in ensuring that people go through the flow of the website to be potentially "upsold" on the Studio Version or be bound to their Privacy Policy and Terms on registration. If not for "AUR rule violations", maintaining or using AUR packages shouldn't make us break terms or conditions of the developer of the software. Having to locally download files shouldn't be breaking behavior for a user when using AUR Packages as best practice expects the user to confront themselves with the content of the PKGBUILD anyway. This includes to take notice of additional requirements such as the file that is locally required. One can expect so much effort to put in by the user. One thing I could maybe see being done here is approaching Blackmagic Design directly in a diplomatic manner to find a solution to optimizing this, but since the primary goal of Blackmagic Design seems to be the identification of it's users, I am not optimistic about how and if we had could come to compromise there. If anything, Muflone as the package maintainer is probably the most qualified in assessing if such an approach would be useful and to have said conversation. I apologize in advance when I messed up to answer to this thread, since I am new to using mailing lists. Best Regards, PureFallen
Hey, Will heap my responses into a single email.
As another staff member who moderates the AUR (though not as often as Fabio), discussion of changes is fair game for this mailing list.
Changes to what? Either: 1. Make the PKGBUILD impossible to audit by the average person, well that would be a security concern. 2. Lobby for upstream to provide a stable URL, or even go as far as was done with Discord (seen as Muflone is staff) and see if Arch can get written permission to redistribute resolve as a package. Other than that, I do not see what possible outcomes there are to discuss.
You're coming at this from a much more aggressive position than the OP. There's no indication that OP intends to die on this hill—they simply want to discuss the change and whether it could potentially be revisited
I meant no aggression. The reason I used "die on the hill" because I don't see how fetching one file manually is a big enough deal that it warrants a whole new discussion on a discussion which (as I quoted in the previous email) had already been done on the AUR comment section.
I don't see anything wrong with that given the way they've presented their arguments. The worst we can say is that we won't change it back.
Never said anything was wrong, just their argument is directly towards the wrong person. I don't see what Muflone is meant to do, either you compromise on security or you fetch it yourself. I don't think anyone here is going to say the former is the better option.
A fair point, but as you've admitted, Resolve is much more advanced than the likes of Shotcut, Kdenlive, etc. If you want a professional video editor the likes of Premiere or Sony Vegas on Linux, you need Resolve. That's not to knock the FOSS competition in any way, it's just reality.
Indeed. Although kdenlive to my knowledge has become a competitive choice when it comes to video editing (disclaimer I am not a video editor, this comes purely from discussions with those who are).
Polarian, I'd like to remind you—as I know others have in the past—you are not an AUR moderator. You've engaged in what's called "armchair moderation" here, where someone with no power to enforce rules attempts to do so anyway.
I have no desire to "enforce rules". As with everyone else subscribed to the mailing list I have the ability to reply to emails. I think you have gotten the wrong intent of the email. My previous email was literally pointing out that the entire discussion had already been done previously, and cited the comments, there was no intent of moderation there.
If you're going to engage in this discussion—and you should feel free to do so—please do so constructively and without speaking for the Arch staff members that are fully capable of speaking for themselves.
I didn't? I pointed out that Muflone was a staff member and thus fully understood the rules. There is a difference between the average AUR maintainer and a staff member who regularly rules on AUR requests. I wasn't speaking for Muflone, I was pointing out the AUR package is maintained by someone who is well know. I did cite his comments, to show that this discussion was already discussed and ruled on. I think you have completely misunderstood the intent of my email, I was simply trying to help by pointing out what had already been discussed, not trying to moderate in any way.
Obviously this does not apply to AUR packages in the same way, because the source files are usually stored in an external repository. However, for the user, the installation flow is the exact same as if the package contained the source files. To expect the user to download the actual file is too far; what you have then is not a package, but an installation script.
The AUR doesn't provide packages, they provide build scripts for packages. The only annoyance with this is that you cant use AUR helpers, but Arch doesn't support these anyways so there's no basis for argument that breaking AUR helpers would violate the rules.
I think there is an argument to be made that davinci-resolve is unpackageable under a strict interpretation of the AUR guidelines.
Arch Linux is pragmatic, so there should be no "strict interpretation" they are more guidelines. A PKGBUILD for resolve is better than nothing, even if it needs manual intervention.
I'm not averse to the old implementation of the package, though, because it was still a package.
No it is a build script, used to build a package. All the removed changes did was bypassed the annoyances upstream, but as explained numerous times doing so was difficult to audit, and the average user, because AUR is build scripts NOT a package, needs to be able to audit the PKGBUILD before building it, otherwise its a security threat.
One thing I could maybe see being done here is approaching Blackmagic Design directly in a diplomatic manner to find a solution to optimizing this, but since the primary goal of Blackmagic Design seems to be the identification of it's users, I am not optimistic about how and if we had could come to compromise there. If anything, Muflone as the package maintainer is probably the most qualified in assessing if such an approach would be useful and to have said conversation.
This is usually done by Arch staff (which Muflone is) and it could indeed be beneficial for an official email to be sent to blackmagic, like done with Discord. Potentially allowing for not only a stable URL for source downloading, but also permission to redistribute resolve, allowing it to be pulled into the repositories in the future. If Muflone is around maybe they can comment on this, otherwise maybe someone should ask them directly if they have attempted this yet?
I apologize in advance when I messed up to answer to this thread, since I am new to using mailing lists.
Your reply is good, and I fully agree.
The download procedure through the support center and through the main page is identical. The form is always required for the free version, and always optional for the paid one. The support center provides access to older versions of the software (and other, auxiliary software, like Fusion standalone or the control panel setup tooling). I’m certain that Blackmagic doesn’t mind people using it; as I stated before my primary reason for going there is acquiring older, more bug-free software versions
You have missed the point made again. I do agree that working around the restrictions put in place by blackmagic is wrong, but the bigger issue here is the security implications of a complicated script which must be used to bypass blackmagic, which the average user cannot audit and thus can't be sure the PKGBUILD is not malicious. Unless there is a easy URL to get the distributable from, the safest option is what Muflone has already done, which is to require manual intervention (download the distributable manually). I agree, this is not ideal, but security comes first, and there is an argument also to be made of not causing issues upstream by bypassing what blackmagic has put in place. The tradeoff is massively outweighed by the benefits in this case, and thus I still don't see what there is to discuss here.
Either way, I do understand the concerns with violating Blackmagic’s TOS and license agreements, but I haven’t read them, so I cannot tell you.
That is an additional point you are still missing the main point, it is a security concern. The PKGBUILD IS NOT a package, and must be reviewed by the average user. Most users do not have indepth knowledge of shell scripting and thus the bypass can't be audited by the average user.
I was doing this for some time, but it’s effectively more effort (especially when trying to keep up with fixes to the upstream PKGBUILD) than downloading the package manually from Blackmagic’s website in the first place.
How long does it feasibly take to download the distributable from upstream? 1 minute? In contrast, say if you poorly audited a PKGBUILD and it wiped your user home directory, how long would that take to recover from? Security matters far more here. Take care, -- Polarian Jabber/XMPP: polarian@icebound.dev
participants (12)
-
archlinux.slogan162@passmail.net
-
Campbell Jones
-
Dominik Lampl
-
Gamy
-
kleines Filmröllchen
-
Lex Black
-
Marek Küthe
-
Muflone
-
Polarian
-
Sam K
-
SK
-
Óscar García Amor