[aur-general] Suggestion to add a pinned comment to PKGBUILDs of high risk vulnerable software

Ralf Mardorf ralf.mardorf at alice-dsl.net
Sun Jul 2 07:09:30 UTC 2017


Hi,

I understand that users should decide on their own, if they wish to
install high risk vulnerable software, so I'm not writing because a
deletion request was rejected.

I want to make a suggestion.

A pinned comment could warn about the high security risk and
assuming that upstream of the original software shouldn't fix
vulnerabilities, at least recommend to ask upstream of software that
requires such software as a dependency, to get rid of this dependency,
instead of installing the vulnerable software.

I'm not sure if everybody is aware of the risks a package like

https://aur.archlinux.org/pkgbase/webkitgtk/
https://aur.archlinux.org/packages/webkitgtk2/

does cause.

When providing such a PKGBUILD, is speaking anything against a
short pinned comment?

Regards,
Ralf

-- 
Vote for apulse!
echo $(w3m https://aur.archlinux.org/packages/apulse |grep 'Votes:    ')
Votes: 81                         Updated: Sun Jul  2 09:03:52 CEST 2017


More information about the aur-general mailing list