[aur-general] TU without [community] maintaining?

Lex Rivera x-demon at x-demon.org
Wed Feb 3 14:12:22 EST 2010 

On 03/02/10 19:57, Florian Friesdorf wrote:
> On Wed, Feb 03, 2010 at 07:55:10PM +0100, Laszlo Papp wrote:
> > On Wed, Feb 3, 2010 at 7:42 PM, Florian Friesdorf <flo at chaoflow.net> wrote:
> > > On Wed, Feb 03, 2010 at 09:32:12PM +0300, Lex Rivera wrote:
> > >> On 03/02/10 19:10, Florian Friesdorf wrote:
> > >> >
> > >> > What about a peer trust network? Publishing packages on the AUR would
> > >> > involve giving an pgp public key. People sign their PKGBUILDs using
> > >> > their private key. People can define trust relationships towards other
> > >> > people ("I trust this person to write good PKGBUILDs" and "I trust this
> > >> > person's trust in other's"). Being a TU would mean to be signed by the
> > >> > TU-Authority (or whatever) and trusting the TU authority's trust would
> > >> > mean you can install packages that are created by TU's.
> > >>
> > >> Peer trust network? Isn't that too hard for ordinary user? Download
> > >> key, import it, set trust level... If there will be some list of
> > >> "Checked Users" this will be easier and friendlier. But peer trust net
> > >> is nice idea anyway.
> > >
> > > yaourt could ship with the TU-Auth's public key and it's default
> > > configuration could be to trust packages by people that are signed by
> > > the TU-Auth.
> > >
> > > key management should further be integrated into yoaurt (or the like)
> > 
> > Yaourt is not supported officially, and it's buggy and abandoned
> > program at this momment, and it has got a very bad design concept to
> > parse URLs directly, so much people wouldn't like to use it ...
> 
> Well, what are people using to install packages from AUR?
> 
> -- 
> Florian Friesdorf <flo at chaoflow.net>
>   GPG FPR: EA5C F2B4 FBBB BA65 3DCD  E8ED 82A1 6522 4A1F 4367
> Jabber/XMPP: flo at chaoflow.net
>   OTR FPR: 9E191746 213321FE C896B37D 24B118C0 31785700
> IRC: chaoflow on freenode,ircnet,blafasel,OFTC
Yaourt is popular, but there is other good alternatives to it. I like
yaourt interface, but... It's extremely slow. And not developed anymore. Compare it to packer for
example.
Anyway, gpg support at least for binary packages can be great, but i
haven't seen any pacman gpg patches or even preluminary support.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20100203/f611cee9/attachment-0001.bin>

More information about the aur-general mailing list