[aur-general] Suggestion to add a pinned comment to PKGBUILDs of high risk vulnerable software

Eli Schwartz eschwartz93 at gmail.com
Sun Jul 2 07:49:10 UTC 2017

On 07/02/2017 03:09 AM, Ralf Mardorf wrote:
> Hi,
> I understand that users should decide on their own, if they wish to
> install high risk vulnerable software, so I'm not writing because a
> deletion request was rejected.
> I want to make a suggestion.
> A pinned comment could warn about the high security risk and
> assuming that upstream of the original software shouldn't fix
> vulnerabilities, at least recommend to ask upstream of software that
> requires such software as a dependency, to get rid of this dependency,
> instead of installing the vulnerable software.
> I'm not sure if everybody is aware of the risks a package like
> https://aur.archlinux.org/pkgbase/webkitgtk/
> https://aur.archlinux.org/packages/webkitgtk2/
> does cause.
> When providing such a PKGBUILD, is speaking anything against a
> short pinned comment?

... That is entirely up to the maintainer of said package.

Even if it weren't entirely up to the maintainer to pin comments, who
are you proposing should be responsible for determining what packages
should come with warnings, and then providing such warnings? And what
makes you think people will *see* those warnings for packages that are
typically not installed on their own, but as dependencies for something


Eli Schwartz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20170702/76ae87a7/attachment.asc>

More information about the aur-general mailing list