[PRQ#61292] Deletion Request for upg
xiota [1] filed a deletion request for upg [2]: Maintainer is upstream dev. Program looks like a personal system maintenance script that is dangerous for other users to run. Does not belong on AUR. Maintainer was notified of issues on GitHub last week. I also commented on AUR, intent to open deletion request. Maintainer has not responded. Review of package and script found the following: * PKGBUILD does not use checksums or signature, allowing retag to arbitrary commit. * Script options are hard coded with no way for user adjust without editing the script. This indicates script is suitable only for personal use by the author. * Script deletes pacman lockfile - could cause significant damage to system. * Script modifies grub and initramfs - could make system unbootable with no benefit because package managers typically already perform these tasks as needed. * Script runs tasks that users may not want: clears cache, empties trash * Script makes runtime assumptions that don't necessarily hold (eg, certain variables are not empty), potentially unintentionally altering system files. [1] https://aur.archlinux.org/account/xiota/ [2] https://aur.archlinux.org/pkgbase/upg/
Request #61292 has been Accepted by Muflone [1]: [Autogenerated] Accepted deletion for upg. [1] https://aur.archlinux.org/account/Muflone/
participants (1)
-
notify@aur.archlinux.org