[aur-dev] .SRCINFO: handling of commits lacking an update and in general
Peter Mattern
pmattern at arcor.de
Sun Jul 26 15:09:49 UTC 2015
Am 26.07.2015 um 16:00 schrieb Doug Newgard:
> On Sun, 26 Jul 2015 14:48:04 +0200
> Peter Mattern<pmattern at arcor.de> wrote:
>
>> Hello.
>>
>> Considering the short time AUR 4 is in use the number of commits lacking
>> an update of .SRCINFO seems to be rather high.
>> The resulting problem is a cosmetic one only as the actual PKGBUILD
>> functionality isn't affected but only the package's web page not updated
>> accordingly.
>> Yet I wonder whether it would be helpful to reject commits lacking the
>> update of .SRCINFO if feasible.
> Please don't. What about commits that make changes to the PKGBUILD but require
> no changes to .SRCINFO?
But how should such a change to PKGBUILD look like?
IMO each reasonable change to PKGBUILD involves bumping pkgver and/or
pkgrel and as such makes adjusting .SRCINFO mandatory, no?
And even if changes like this do exist I can hardly figure they outweigh
the disadvantages stated by Remy in the meantime.
>
>> Actually I wonder as well whether it wouldn't even be better to not have
>> .SRCINFO written by the packagers before uploading a commit but by
>> aurweb when commits are received.
>> This would ensure that problems like the one stated above can't happen
>> and I for one couldn't figure a downside so far.
> The downside is that running random bash scripts (PKGBUILDs) on the server is an
> unacceptable security risk. That's the entire reason these metadata files were
> created.
Admittedly I didn't consider PKGBUILD's nature as a shell script when
submitting my first post. Given the structure of PKGBUILD I wonder
whether writing .SRCINFO at the server side shouldn't be doable in a way
avoiding security issues nevertheless.
Could of course very well be a task that isn't worth the pain.
More information about the aur-dev
mailing list