[arch-general] bitcoin-qt out-of-date

Eli Schwartz eschwartz93 at gmail.com
Thu Sep 1 17:38:13 UTC 2016


On 09/01/2016 12:54 PM, Diego Viola wrote:
> I actually know that, yes. My point is that there can be bad PKGBUILDs
> out there that could fetch the bitcoin-qt binary from somewhere else,
> which means I'll need to review the PKGBUILD beforehand or write my
> own.
> 
> I admit to not use the AUR a lot (I stick mostly to packages from the
> repos), but I understand how the AUR works.

Well, that is good, especially since I was joking.

But you do realize that the idea of "bad PKGBUILDs out there" is a
known, fundamental part of the AUR and you are *always* advised to read
what you run before running it?

... with the exception of any particular maintainers who you may or may
not have a specific reason to trust. e.g. The Arch Developers and
Trusted Users, many of whom also maintain AUR packages.

You can also check a *-git PKGBUILD once, save it and re-run periodically.
Or use the AUR git support to see what a maintainer has changed in their
latest push to the AUR. Some AUR helpers even remember your packages and
show you the diff of what changed...
Or use Xyne's "bauerbill"[1] AUR helper which can track who you trust
and/or which AUR upload dates you trust, individually or together (and
otherwise prompt you to review the PKGBUILD).

...

Reading a PKGBUILD does not take a lot of time, why do you consider it
such a horrible burden that complaining on the mailing list about
"irresponsible" maintainers is more efficient?

-- 
Eli Schwartz


[1] https://bbs.archlinux.org/viewtopic.php?id=205834


More information about the arch-general mailing list