[arch-general] Fwd: A plea for communication from Arch devs & maintainers

[Sam Mulvey]

On 11/3/21 03:42, Jonas Witschel wrote:
>
> Opening a bug report with the necessary information is very simple,

With as much respect as I can textually apply, I would not describe the 
description that follows as "simple."    Instead, I'll talk about my 
experiences with simple version bumps with something I need.   Often 
it's a security patch, but sometimes it's a feature.

A simple version bump for a package is some time behind.   I don't know 
why; web forums are poisonous and search generally lands on pages where 
someone is getting it wrong, and frankly stuff like that can't be found 
on bbs anyway.  There's nothing in the bug reports.  However simple 
version bump patches are not welcome, and the time I submitted one did 
not go well.

So what I've done for the last decade or so is snag the package out of 
asp, create a "pkgrel=0" package with the change, and get on with my 
life.   When the official package comes out, my band aid goes away.

What does this have to do with the AVG?   Haven't a clue, but it seems 
like it would be a nice thing if I could share my "clerical work" with 
the group without making it seem like I'm mad at the maintainer for 
living life and catching Dune on IMAX.

Now, I've encountered this situation less than a hundred times over my 
life with Arch, and the incidence is decreasing over time.  It's rare 
enough that I barely register it as a problem, but people are talking 
about it so I figured I should speak up.

My crude idea about a way to update pkgver and *sums without spamming up 
the buglist was a way to address my experiences and (apparently) the 
experiences of other folks on the list.

> If you are aware of any open security issues that are not yet included in the
> security tracker, we would love to hear about them! The easiest way to get in
> touch is the #archlinux-security IRC channel on Libera Chat, but see [2] for
> more ways of contact.

FWIW, I do not necessarily agree that there are security-specific issues 
involved here.   All I mean is given the architecture of Arch, there are 
really easy ways to show what the problem is outside the aegis of AUR or 
the repos, if there *is* a problem.

If there isn't a problem, trying to organize the stated issues into 
actual solutions would make that clearer.


> Finally, I would like to contest the assertion that users would need "a lot of
> local package updates for security fixes" in order to keep a secure system:
> looking at the open security issues in [1], the vast majority of these are
> unresolved upstream, so no package update will solve them.

This is a very mild microcosm of my experiences with Arch Linux, and why 
a thread about "a plea for communication" speaks to me. I installed Arch 
for the first time when I did something unspeakable to a macbook and 
needed something until I fixed it. Not too long after that every device 
I could make run Arch was running Arch. Technically, it's simple and 
magnificent.

Yet, as soon as a person is involved simple goes out the window. Most of 
my interfaces with the Arch team have always been challenging, and every 
time I dip my toe in I end up having someone "contest" what I'm saying 
in varying degrees.   The only major package I maintain in AUR happened 
because I accidentally offended the TU who was maintaining the package.

There are a lot of unspoken rules to the Arch Linux community. More than 
I'm used to from a volunteer organization and I work 100% in the 
volunteer space.   Thus far I have been unable to navigate it.   Since 
Arch continues to make good technical decisions-- even when I disagreed 
with those decisions-- I decided to keep using it and just keep my trap 
shut.

When someone else seemed like they were facing the same issues I was, I 
decided to speak up.   Then people started going on about how reddit is 
"cucked" and brigading on 4chan, so I probably should have continued 
with the trap shut business.

Nonetheless, you do good work and I thank you for it.

-Sam