[arch-general] Fwd: A plea for communication from Arch devs & maintainers
Sam Mulvey
archlinux at sammulvey.com
Wed Nov 3 17:46:10 UTC 2021
On 11/3/21 03:42, Jonas Witschel wrote:
>
> Opening a bug report with the necessary information is very simple,
With as much respect as I can textually apply, I would not describe the
description that follows as "simple." Instead, I'll talk about my
experiences with simple version bumps with something I need. Often
it's a security patch, but sometimes it's a feature.
A simple version bump for a package is some time behind. I don't know
why; web forums are poisonous and search generally lands on pages where
someone is getting it wrong, and frankly stuff like that can't be found
on bbs anyway. There's nothing in the bug reports. However simple
version bump patches are not welcome, and the time I submitted one did
not go well.
So what I've done for the last decade or so is snag the package out of
asp, create a "pkgrel=0" package with the change, and get on with my
life. When the official package comes out, my band aid goes away.
What does this have to do with the AVG? Haven't a clue, but it seems
like it would be a nice thing if I could share my "clerical work" with
the group without making it seem like I'm mad at the maintainer for
living life and catching Dune on IMAX.
Now, I've encountered this situation less than a hundred times over my
life with Arch, and the incidence is decreasing over time. It's rare
enough that I barely register it as a problem, but people are talking
about it so I figured I should speak up.
My crude idea about a way to update pkgver and *sums without spamming up
the buglist was a way to address my experiences and (apparently) the
experiences of other folks on the list.
> If you are aware of any open security issues that are not yet included in the
> security tracker, we would love to hear about them! The easiest way to get in
> touch is the #archlinux-security IRC channel on Libera Chat, but see [2] for
> more ways of contact.
FWIW, I do not necessarily agree that there are security-specific issues
involved here. All I mean is given the architecture of Arch, there are
really easy ways to show what the problem is outside the aegis of AUR or
the repos, if there *is* a problem.
If there isn't a problem, trying to organize the stated issues into
actual solutions would make that clearer.
> Finally, I would like to contest the assertion that users would need "a lot of
> local package updates for security fixes" in order to keep a secure system:
> looking at the open security issues in [1], the vast majority of these are
> unresolved upstream, so no package update will solve them.
This is a very mild microcosm of my experiences with Arch Linux, and why
a thread about "a plea for communication" speaks to me. I installed Arch
for the first time when I did something unspeakable to a macbook and
needed something until I fixed it. Not too long after that every device
I could make run Arch was running Arch. Technically, it's simple and
magnificent.
Yet, as soon as a person is involved simple goes out the window. Most of
my interfaces with the Arch team have always been challenging, and every
time I dip my toe in I end up having someone "contest" what I'm saying
in varying degrees. The only major package I maintain in AUR happened
because I accidentally offended the TU who was maintaining the package.
There are a lot of unspoken rules to the Arch Linux community. More than
I'm used to from a volunteer organization and I work 100% in the
volunteer space. Thus far I have been unable to navigate it. Since
Arch continues to make good technical decisions-- even when I disagreed
with those decisions-- I decided to keep using it and just keep my trap
shut.
When someone else seemed like they were facing the same issues I was, I
decided to speak up. Then people started going on about how reddit is
"cucked" and brigading on 4chan, so I probably should have continued
with the trap shut business.
Nonetheless, you do good work and I thank you for it.
-Sam
More information about the arch-general
mailing list