[aur-general] TU appliance Jens Maucher (defcon)

xyne xyne at archlinux.ca
Sun Apr 5 17:37:29 EDT 2009

"Ali H. Caliskan" <ali.h.caliskan at gmail.com> wrote:

> We'll as long as there is no human factor in stake, I believe making a
> package, especially a community package isn't that much a security risk. We
> are not talkling about "core" or "extra" packages, just the community repo,
> which is of course provided by the community users. I'm sure that the the
> Arch Linux user would understand that.

I don't agree with that reasoning. Even though there are warnings and the user has to enable the community repo him-/herself, there is still a reasonable expectation of package quality which leads to a base level of trust for community packages. The same cannot be said for the AUR which, by your reasoning, should elicit the same level of confidence as the community repo or perhaps even more because the user builds the packages him-/herself. Even if the community repo is run by "community users", the selection of those users strives to ensure certain minimal standards that warrant the trust of those who use the repo, even if it may not be as rigorous as the selection of those charged with the maintenance of the core and extra repos. 

For the record, I have no opinion of Jens' packaging abilities nor did I vote on his application (as I wasn't yet a TU). I am only responding to this particular point of your post and my response is only a statement of my own (possibly naïve) opinion.


More information about the aur-general mailing list