[aur-general] AUR4 migration of orphan packages

Ido Rosen ido at kernel.org
Tue Jun 9 16:24:24 UTC 2015

On Tue, Jun 9, 2015 at 12:14 PM, Chris Warrick <kwpolska at gmail.com> wrote:
> On Tue, Jun 9, 2015 at 5:53 PM, Ido Rosen <ido at kernel.org> wrote:
>> I think some of the orphans on AUR are just maintained by multiple
>> people.  The usage pattern is:
>> Person A adopts, updates, and disowns.
>> Person B some time later notices it's out of date, adopts, updates, disowns.
>> It seems perfectly reasonable to have multiple people maintain a
>> package over time this way.  Maybe we just need better support for
>> this style of non-maintainership that isn't quite "orphaned"?  Support
>> for multiple maintainers/collaborators like on GitHub repos?
>> (Outright owning a package in AUR prevents anyone else from updating
>> it.)
> It also prevents a third party (Mallory) from taking it over and:
> (a) replacing it with something else (malware?);
> (b) preventing Alice and Bob from updating it;
> (c) requesting deletion;
> (d) [insert other harmful actions here].

Yes, that's right, and these are all good reasons why we should
continue to have ownership, which is why I suggested we support
something in-between as well (before I knew about co-maintainership
capabilities in AUR, which basically resolve this).
>> if someone wants to update a package faster than I can get to it […]
> You should use some service that would tell you about package updates,
> for example requires.io for Python, or RSS feeds.  Will take 5 minutes
> to do it in many cases (to update pkgver and the checkums)

Thanks for the suggestion, but these services don't work for some (or
most) of the packages I maintain, and some of the packages are
academic in nature.  For updates that are just updating the pkgver &
updpkgsums, I do those myself, but there are cases (major version
changes, new feature requests, upstream breaks something, dependent
packages break something, etc.) where debugging/more time is needed.
That's when it may take me a week or more to get around to updating
the package, in which case if someone else with more time gets to it
sooner, I encourage them to submit a pull request and add them as a
Contributor: (and thank them for helping!). :-)

Another thing that having the pull request workflow I use allows is
for the users of the package to add things to the package (e.g.
optdepends as they come out) and fix bugs.  It makes my work after
initially creating the package basically just QA to make sure their
PRs don't break anything in many cases, which I like.

> --
> Chris Warrick <https://chriswarrick.com/>

More information about the aur-general mailing list