[aur-requests] [PRQ#11319] Orphan Request for zfs-dkms
RubenKelevra [1] filed a orphan request for zfs-dkms [2]: The current maintainer seems to be overworked and it takes weeks for a simple update, every time. The maintainer was criticized in the comment by other users for this behavior and don't take responsibility for this by responding. There's also a security flaw in this and the spl-dkms package: There's no checksum check at all, the packages just pull the git repo from github build and load them into the kernel. I've just pointed this, but I doubt he/she will ever respond to this. [1] https://aur.archlinux.org/account/RubenKelevra/ [2] https://aur.archlinux.org/pkgbase/zfs-dkms/
Request #11319 has been rejected by Eschwartz [1]: Checksums don't add security, that's why they're the "integrity check", not the "security check". Do you know how many [core] packages don't have PGP signatures available at all? Those are used on far more devices. Granted, using PGP when available is always nice. But I don't see you screeching at the non-dkms package maintainer to fix *his* packages which don't use PGP either... So much for the "security flaw". As for maintainers taking "weeks for a simple update", not everyone can update the very day something is released, you get what you pay for and sometimes not even that in the AUR. This is why we offer maintainers grace periods, because otherwise no one would be able to maintain packages for more than two or three upstream updates before some overwrought individual throws a tantrum and claims the package for themselves. We can discuss this as and when that becomes relevant, but this is not even currently out of date... Your false complaint about security gets extra points taken off of my likelihood to care what you have to say. [1] https://aur.archlinux.org/account/Eschwartz/
On 05/06/2018 01:08 PM, notify--- via aur-requests wrote:
Request #11319 has been rejected by Eschwartz [1]:
Checksums don't add security, that's why they're the "integrity check", not the "security check". Do you know how many [core] packages don't have PGP signatures available at all? Those are used on far more devices.
Really I should clarify. I've actually fought for the use of integrity checksums more, e.g. unsuccessfully asking for --geninteg to default to better checksums. Even a non-perfect fix is better than nothing, and every bit helps. I also prefer when using git sources to pin the #commit= instead of tags. This wasn't my main reason for rejecting your request though, instead this was:
Granted, using PGP when available is always nice. But I don't see you screeching at the non-dkms package maintainer to fix *his* packages which don't use PGP either...
So much for the "security flaw".
In the comments you complained that PGP is not used, but you're involved with archzfs (and therefore hardly objective). What I find interesting is the sheer gall in essentially saying we should forcibly orphan a package because we don't like his checksum policies, then capping that off by complaining about the lack of PGP *when archzfs does the exact same thing*. And you're even involved with that and could fix it far easier. archzfs may take 10 months to still not merge the fix for erroneously depending on a specific pkgrel of the kernel, and the code may be nearly as bad/unreadable as the average GNU project, or perhaps the output of grub-mkconfig (a scarily apt comparison between two horrible autogenerators)... but it seems to have a pretty fair track record of *listening* and engaging in dialogue with users.
As for maintainers taking "weeks for a simple update", not everyone can update the very day something is released, you get what you pay for and sometimes not even that in the AUR. This is why we offer maintainers grace periods, because otherwise no one would be able to maintain packages for more than two or three upstream updates before some overwrought individual throws a tantrum and claims the package for themselves.
This is really the only thing that matters at the end of the day.
We can discuss this as and when that becomes relevant, but this is not even currently out of date... Your false complaint about security gets extra points taken off of my likelihood to care what you have to say.
False might be too strong a word, it's just hypocritical and overinflated for the actual magnitude of the issue. -- Eli Schwartz Bug Wrangler and Trusted User
participants (2)
-
Eli Schwartz
-
notify@aur.archlinux.org