[aur-dev] [PATCH 2/2] Require TUs to explicitly request to overwrite a pkgbase

Lukas Fleischer lfleischer at archlinux.org
Fri Jul 21 16:47:09 UTC 2017

On Fri, 21 Jul 2017 at 06:13:40, Eli Schwartz wrote:
> AUR_PRIVILEGED allows people with privileged AUR accounts to evade the
> block on non-fast-forward commits. While valid in this case, we should
> not do so by default, since in at least one case a TU did this without
> realizing there was an existing package.
> ( https://aur.archlinux.org/packages/rtmidi/ )
> Use .ssh/config "SendEnv" on the TU's side and and sshd_config
> "AcceptEnv" in the AUR server to specifically request privileged access.
> TUs should use: `export AUR_PRIVILEGED=1; git push`
> [...]

I am not sure whether this is a good idea. AUR_PRIVILEGED is not only
used for non-fast-forward pushes. It is used for every SSH interface
command that requires TU privileges, such as disowning other users'
packages or changing the keywords of a package one does not maintain. It
seems rather inconvenient to require TUs to prefix all their superpower
commands with AUR_PRIVILEGED=1.

Actually, TUs should *never* make use of the forced push feature unless
they are dealing with some copyright infringement or removing some other
legally questionable stuff from the history. So it might make sense to
either restrict this feature to very few TUs (those dealing with legal
issues reported to aur-support at archlinux.org) or to add some kind of
extra switch as you suggested -- but only for non-fast-forward pushes.

The warning you implemented in patch 1/2 certainly is a good idea as
well. Thanks!


More information about the aur-dev mailing list