[aur-general] TU without [community] maintaining?
flo at chaoflow.net
Wed Feb 3 13:10:41 EST 2010
On Wed, Feb 03, 2010 at 06:04:52PM +0000, Pierre Chapuis wrote:
> Le Wed, 03 Feb 2010 15:41:38 +0100,
> Thomas Bächler <thomas at archlinux.org> a écrit :
> > I think it is a good idea. We could create the "AUR moderator" position
> > instead of calling it "Semi-TU".
> > When I was a TU, I didn't care at all about moderating the AUR, and
> > maybe other TUs feel the same and rather do packaging. Conversely, you
> > don't seem to care about packaging but about AUR moderation.
> > I am forwarding this to arch-dev-public for reference, but I guess
> > ultimately the TUs have to decide.
> I even think it could be a good idea to have "real" Trusted Users in the
> sense that they can be trusted as to which packages they publish on the
> AUR, not necessarily in binary form. They would be approved by some
> process, and then added to a list which could be used by software like
> yaourt / pakthan / bauerbill to let the users install their packages
> without checking the PKGBUILDs. The fact that a package on the AUR is
> maintained by one of these users (they would include current TUs and
> devs) would be accessible in the metadata (through the json RPC for
> I know there used to be a flag like that on the AUR and that it didn't
> work, but I think it's mainly because it was on a "by package" basis
> instead of a "by user" basis, which makes it a lot more work for those
> who have to check.
> As for what should be checked when users apply for this position, I
> would say at least:
> - a sufficient expertise in packaging, proved by the existence of
> several good packages maintained by them on the AUR, and
> - a means to contact them efficiently (valid email address).
> Anyway this is just my two cents as an Arch user, but I consider the
> lack of any way to trust AUR PKGBUILDs without reading them to be the
> thing that annoys me most with Arch as of now.
What about a peer trust network? Publishing packages on the AUR would
involve giving an pgp public key. People sign their PKGBUILDs using
their private key. People can define trust relationships towards other
people ("I trust this person to write good PKGBUILDs" and "I trust this
person's trust in other's"). Being a TU would mean to be signed by the
TU-Authority (or whatever) and trusting the TU authority's trust would
mean you can install packages that are created by TU's.
Florian Friesdorf <flo at chaoflow.net>
GPG FPR: EA5C F2B4 FBBB BA65 3DCD E8ED 82A1 6522 4A1F 4367
Jabber/XMPP: flo at chaoflow.net
OTR FPR: 9E191746 213321FE C896B37D 24B118C0 31785700
IRC: chaoflow on freenode,ircnet,blafasel,OFTC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: not available
More information about the aur-general