[aur-general] TU Application: Bruno Pagani

NicoHood archlinux at nicohood.de
Sat Jan 7 15:05:11 UTC 2017


On 01/07/2017 03:32 PM, Bruno Pagani via aur-general wrote:
> Hi everyone,
> 
> My name is Bruno Pagani (a.k.a. ArchangeGabriel, or just archange
> [...]

Hey Bruno,
nice to hear that you want to join the great ArchLinux project as TU. I
am aware the discussion period has not started yet, but I think its fine
if I already give some feedback.

I've checked your PKGBUILDs and I've noted a few thinks (which I also
did wrong or sometimes forget). Those are mostly only concerning
security aspects which I find important. If you followed the recent
discussion you might have noticed that some people differ from this
opinion. Please take it as a kind notice for you, use it if you wish :)

* For github download .tar.gz is preferred over .zip in general if i am
not wrong.
* Prefix your source download with: ${pkgname}-${pkgver}.tar.xz:: if you
have a common SRCDIR. I also recently change to a common src dir, as too
many packages blow my directories.
* You can use https for sourceforge downloads soon/now[1] (bs1770gain)
* Thanks for using sha256sums. You may want to use the even stronger
sha512sums, as it does not hurt to use stronger hashes *duck*
* certbot-user: the gpg keys should have a comment with the owner of the
trusted keys (as you did with exfalso, but with email)
* mpd-{sserver,}minimal uses a sha1sum. If its an upstream hash please
contact them to use stronger hashes and include a stronger one as well.
You can use multiple hashes in the PKGBUILD (as in weboob-headless).
* powerdevil/spectacle-light uses http downloads. Even though gpg
signatures are used, it would be nice to have https available anyways.
It seems kde missconfigured their download subdomain for https, so you
might want to contact them about that?
* What I also do is to put my own GPG ID inside my PKGBUILDs, so people
can simpler verify/find my key. Just as an idea.
* For those projects who dont use GPG signatures yet, you might want to
kindly contact them. I've written a script + instructions for using gpg
along with a template to contact upstreams[2]. You might want to check
it out.
* If you want to move whipper, please consider to take part in the
discussion about gpg[3]. Please dont take it personally, some people
found them personally offended, while this was not the intention. You
have the chance to also speak up for stronger security. I do not want to
end this in an offtopic discussion, maybe you can help too ;)

Cheers
~Nico

[1] https://github.com/arduino/Arduino/pull/5772#issuecomment-269715945
[2] https://github.com/NicoHood/gpgit#a-template-for-contacting-upstreams
[3] https://github.com/JoeLametta/whipper/issues/77

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20170107/e4cb76bd/attachment.asc>


More information about the aur-general mailing list