[arch-general] Is Voting Effective?

Nowaker enwukaer at gmail.com
Fri Apr 11 20:28:55 EDT 2014 

Hi guys,

I really enjoy our status quo with AUR. This is the first user-repo in 
the Linux world that is easy to talk to. Just compare to these Ubuntu's 
PPAs that you first need to find and trust. I really prefer to run 
yaourt -Ss package-i-am-looking-for, and not to Google for "arch linux 
package-i-am-looking-for", then call repo-add, etc. Staying in the 
console is a very big plus for me.

I am also satisfied with how AUR users keep it clean. Delete requests 
(including binaries directly in the PKGBUILD!), merge requests, disown 
requests... While there could be more automation involved, I do believe 
AUR is the best user-repo I have ever used.

Lastly, I am OK to build the packages myself. After all, I see the 
PKGBUILD, which is just simple code. Or even alternatively I see where 
the binaries are downloaded from. If they are downloaded from the 
upstream I am totally OK with that. Binaries built by AUR wouldn't be nice.

> The process could also involve grabbing the files (or hashes) through
> different Tor exit nodes and comparing them to make sure they're all the
> same, and there's no attacker messing with the local Internet
> connection.

This is the *only* improvement I could see for AUR. Not only trust 
sha256sums provided by the maintainer, but also have a guarantee that 
these sha256sums are validated by AUR. If they don't match - the package 
is not available for download.

Anything else like binaries built by AUR itself, trusting the users, 
finding their private repos etc. I do oppose.


Regarding the subject (Is Voting Effective?). Theoretically, packages 
are picked from AUR to [community] according to the number of votes. 
However, I have never seen anything like that. Any time a new Trusted 
User candidate asks to join the team, they list packages that they want 
to move from AUR to [community]. It's totally arbitrary. If there's no 
one to be interested in maintaining the package, it remains in AUR. Fine 
by me.

-- 
Kind regards,
Damian Nowak
StratusHost
www.AtlasHost.eu

More information about the arch-general mailing list