[aur-general] TU without [community] maintaining?
ape at ape3000.com
Wed Feb 3 13:41:34 EST 2010
On 02/03/2010 08:32 PM, Lex Rivera wrote:
> On 03/02/10 19:10, Florian Friesdorf wrote:
>> On Wed, Feb 03, 2010 at 06:04:52PM +0000, Pierre Chapuis wrote:
>>> Le Wed, 03 Feb 2010 15:41:38 +0100,
>>> Thomas Bächler <thomas at archlinux.org> a écrit :
>>>> I think it is a good idea. We could create the "AUR moderator" position
>>>> instead of calling it "Semi-TU".
>>>> When I was a TU, I didn't care at all about moderating the AUR, and
>>>> maybe other TUs feel the same and rather do packaging. Conversely, you
>>>> don't seem to care about packaging but about AUR moderation.
>>>> I am forwarding this to arch-dev-public for reference, but I guess
>>>> ultimately the TUs have to decide.
>>> I even think it could be a good idea to have "real" Trusted Users in the
>>> sense that they can be trusted as to which packages they publish on the
>>> AUR, not necessarily in binary form. They would be approved by some
>>> process, and then added to a list which could be used by software like
>>> yaourt / pakthan / bauerbill to let the users install their packages
>>> without checking the PKGBUILDs. The fact that a package on the AUR is
>>> maintained by one of these users (they would include current TUs and
>>> devs) would be accessible in the metadata (through the json RPC for
>>> I know there used to be a flag like that on the AUR and that it didn't
>>> work, but I think it's mainly because it was on a "by package" basis
>>> instead of a "by user" basis, which makes it a lot more work for those
>>> who have to check.
>>> As for what should be checked when users apply for this position, I
>>> would say at least:
>>> - a sufficient expertise in packaging, proved by the existence of
>>> several good packages maintained by them on the AUR, and
>>> - a means to contact them efficiently (valid email address).
>>> Anyway this is just my two cents as an Arch user, but I consider the
>>> lack of any way to trust AUR PKGBUILDs without reading them to be the
>>> thing that annoys me most with Arch as of now.
>> What about a peer trust network? Publishing packages on the AUR would
>> involve giving an pgp public key. People sign their PKGBUILDs using
>> their private key. People can define trust relationships towards other
>> people ("I trust this person to write good PKGBUILDs" and "I trust this
>> person's trust in other's"). Being a TU would mean to be signed by the
>> TU-Authority (or whatever) and trusting the TU authority's trust would
>> mean you can install packages that are created by TU's.
>> Florian Friesdorf <flo at chaoflow.net>
>> GPG FPR: EA5C F2B4 FBBB BA65 3DCD E8ED 82A1 6522 4A1F 4367
>> Jabber/XMPP: flo at chaoflow.net
>> OTR FPR: 9E191746 213321FE C896B37D 24B118C0 31785700
>> IRC: chaoflow on freenode,ircnet,blafasel,OFTC
> Peer trust network? Isn't that too hard for ordinary user? Download
> key, import it, set trust level... If there will be some list of
> "Checked Users" this will be easier and friendlier. But peer trust net
> is nice idea anyway.
I agree that peer trust network is a nice idea and that pgp keys might
be unnecessary. AUR accounts are already authenticated by the web system
and user can be easily coupled with the uploaded files.
You should be able to upload packages without any thrust status and also
downloading and installing untrusted packages should be possible. There
could be packages with trusted status, so the users wouldn't have that
must packages to be checked by themselves.
-- Ape <Lauri Niskanen>
More information about the aur-general