[aur-general] AUR4 migration of orphan packages

Chris Warrick kwpolska at gmail.com
Tue Jun 9 16:14:58 UTC 2015

On Tue, Jun 9, 2015 at 5:53 PM, Ido Rosen <ido at kernel.org> wrote:
> I think some of the orphans on AUR are just maintained by multiple
> people.  The usage pattern is:
> Person A adopts, updates, and disowns.
> Person B some time later notices it's out of date, adopts, updates, disowns.
> It seems perfectly reasonable to have multiple people maintain a
> package over time this way.  Maybe we just need better support for
> this style of non-maintainership that isn't quite "orphaned"?  Support
> for multiple maintainers/collaborators like on GitHub repos?
> (Outright owning a package in AUR prevents anyone else from updating
> it.)

It also prevents a third party (Mallory) from taking it over and:

(a) replacing it with something else (malware?);
(b) preventing Alice and Bob from updating it;
(c) requesting deletion;
(d) [insert other harmful actions here].

> if someone wants to update a package faster than I can get to it […]

You should use some service that would tell you about package updates,
for example requires.io for Python, or RSS feeds.  Will take 5 minutes
to do it in many cases (to update pkgver and the checkums)

Chris Warrick <https://chriswarrick.com/>

More information about the aur-general mailing list