[arch-general] Is Voting Effective?

[Mark Lee]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/11/2014 05:40 PM, Taylor Hornby wrote:
> The main mechanism for moving packages from the AUR into the official
> repositories seems to be the "Vote for this package" mechanism.
> Ideally, all packages would just be in the official repositories, and
> there'd be no AUR. Obviously we don't have the resources for that, so
> there needs to be some mechanism for prioritizing packages.
> 
> Because you have to register an account to vote (and I didn't even
> *know* about it until today), the voting mechanism is not effective at
> filtering out the important packages from the sea of mostly-irrelevant
> obscure packages, and it's certainly not a good indicator for package
> quality. This means important packages are getting left behind in the
> AUR even when all other Linux distributions include them in their
> official repositories.
> 
> Ultimately, relying on a vote-based popularity measurement too much is
> hurting -- or is going to hurt -- Arch Linux.
> 
> Take for example tahoe-lafs and tripwire, with 32 and 13 votes
> respectively.
> 
>     https://aur.archlinux.org/packages/tahoe-lafs/
> 
>     https://aur.archlinux.org/packages/tripwire/
> 
> These are extremely important tools. And, while they may not be popular
> as measured by the voting system, they are widely used, and both are
> included in Debian's official repositories.
> 
> Instead of being able to quickly and easily install signed binaries with
> `pacman -S`, a security-conscious user wanting one of these tools has to
> manually inspect the PKGBUILDs for the packages themselves and many of
> their dependencies to make sure that they're not malicious. And after
> they do all that, they still have to trust insecure connections and MD5
> checksums.
> 
> There needs to be an official channel for hearing reasoned arguments on
> why a package should or should not be included in the real repositories,
> and the unscientific vote count should come second.
> 
> Is there such a thing?
> 
> Thanks for reading,
> 

Salutations,

Packages don't reach the official repositories until they have enough
sponsorship (by voting or devs pushing packages) and have been properly
vetted. In addition, a security conscious user should be inspecting
PKGBUILDS (via the ABS) instead of just taking packages as is. Compiling
the packages via the ABS is further step.

Regards,
Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iF4EAREIAAYFAlNIY30ACgkQZ/Z80n6+J/ZiNAD+N+KWUv9oIzn/HBJPIYq2LJ+V
Ca0eJ6FbbH9DceXUWiQA/RNsBzO0Aq+MLdoHrcS5oJ7TFv9VQ96/PLzgUGIbQ4Ti
=DHkF
-----END PGP SIGNATURE-----