[aur-general] AUR4 migration of orphan packages
Chris Warrick
kwpolska at gmail.com
Tue Jun 9 16:14:58 UTC 2015
On Tue, Jun 9, 2015 at 5:53 PM, Ido Rosen <ido at kernel.org> wrote:
> I think some of the orphans on AUR are just maintained by multiple
> people. The usage pattern is:
>
> Person A adopts, updates, and disowns.
> Person B some time later notices it's out of date, adopts, updates, disowns.
>
> It seems perfectly reasonable to have multiple people maintain a
> package over time this way. Maybe we just need better support for
> this style of non-maintainership that isn't quite "orphaned"? Support
> for multiple maintainers/collaborators like on GitHub repos?
> (Outright owning a package in AUR prevents anyone else from updating
> it.)
It also prevents a third party (Mallory) from taking it over and:
(a) replacing it with something else (malware?);
(b) preventing Alice and Bob from updating it;
(c) requesting deletion;
(d) [insert other harmful actions here].
> if someone wants to update a package faster than I can get to it […]
You should use some service that would tell you about package updates,
for example requires.io for Python, or RSS feeds. Will take 5 minutes
to do it in many cases (to update pkgver and the checkums)
--
Chris Warrick <https://chriswarrick.com/>
PGP: 5EAAEA16
More information about the aur-general
mailing list