[aur-general] TU without [community] maintaining?

Lex Rivera x-demon at x-demon.org
Wed Feb 3 13:32:12 EST 2010 

On 03/02/10 19:10, Florian Friesdorf wrote:
> On Wed, Feb 03, 2010 at 06:04:52PM +0000, Pierre Chapuis wrote:
> > Le Wed, 03 Feb 2010 15:41:38 +0100,
> > Thomas Bächler <thomas at archlinux.org> a écrit :
> > 
> > > I think it is a good idea. We could create the "AUR moderator" position
> > > instead of calling it "Semi-TU".
> > > 
> > > When I was a TU, I didn't care at all about moderating the AUR, and
> > > maybe other TUs feel the same and rather do packaging. Conversely, you
> > > don't seem to care about packaging but about AUR moderation.
> > > 
> > > I am forwarding this to arch-dev-public for reference, but I guess
> > > ultimately the TUs have to decide.
> > 
> > I even think it could be a good idea to have "real" Trusted Users in the
> > sense that they can be trusted as to which packages they publish on the
> > AUR, not necessarily in binary form. They would be approved by some
> > process, and then added to a list which could be used by software like
> > yaourt / pakthan / bauerbill to let the users install their packages
> > without checking the PKGBUILDs. The fact that a package on the AUR is
> > maintained by one of these users (they would include current TUs and
> > devs) would be accessible in the metadata (through the json RPC for
> > example).
> > 
> > I know there used to be a flag like that on the AUR and that it didn't
> > work, but I think it's mainly because it was on a "by package" basis
> > instead of a "by user" basis, which makes it a lot more work for those
> > who have to check.
> > 
> > As for what should be checked when users apply for this position, I
> > would say at least:
> > 
> >   - a sufficient expertise in packaging, proved by the existence of
> >     several good packages maintained by them on the AUR, and
> >   - a means to contact them efficiently (valid email address).
> > 
> > Anyway this is just my two cents as an Arch user, but I consider the
> > lack of any way to trust AUR PKGBUILDs without reading them to be the
> > thing that annoys me most with Arch as of now.
> 
> What about a peer trust network? Publishing packages on the AUR would
> involve giving an pgp public key. People sign their PKGBUILDs using
> their private key. People can define trust relationships towards other
> people ("I trust this person to write good PKGBUILDs" and "I trust this
> person's trust in other's"). Being a TU would mean to be signed by the
> TU-Authority (or whatever) and trusting the TU authority's trust would
> mean you can install packages that are created by TU's.
> 
> -- 
> Florian Friesdorf <flo at chaoflow.net>
>   GPG FPR: EA5C F2B4 FBBB BA65 3DCD  E8ED 82A1 6522 4A1F 4367
> Jabber/XMPP: flo at chaoflow.net
>   OTR FPR: 9E191746 213321FE C896B37D 24B118C0 31785700
> IRC: chaoflow on freenode,ircnet,blafasel,OFTC

Peer trust network? Isn't that too hard for ordinary user? Download
key, import it, set trust level... If there will be some list of
"Checked Users" this will be easier and friendlier. But peer trust net
is nice idea anyway.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20100203/f052fdbb/attachment.bin>

More information about the aur-general mailing list