[aur-general] Suggestion to add a pinned comment to PKGBUILDs of high risk vulnerable software

Ralf Mardorf ralf.mardorf at alice-dsl.net
Tue Jul 4 07:45:08 UTC 2017

On Tue, 4 Jul 2017 14:00:50 +0800, Oon-Ee Ng via aur-general wrote:
>You could suggest it on the package's AUR page.


yes, I could ask to do it for dependent packages such as
https://aur.archlinux.org/packages/xombrero/ even while I'm not using

I could ask to do it for https://aur.archlinux.org/packages/qtwebkit/ ,
https://aur.archlinux.org/packages/webkitgtk/ /
https://aur.archlinux.org/packages/webkitgtk2 even while I'm not using
those packages.

Some maintainers simply are responsible without somebody mentioning it,
e.g. https://aur.archlinux.org/packages/claws-mail-git/, btw. the only
related PKGBUILD I'm using myself.

Another package maintainer disabld webkit usage, after I informed
about the issue and after I get in contact with upstream, who also will
fix the issue, https://aur.archlinux.org/packages/guitarix-git/ . I'm
not using this package, but install guitarix2 from official

>By sending it to the ML, it looks like you're trying to discuss or
>push for a general decision.

Actually there could be PKGBUILDs where I'm not aware of the issue, so
I can't add a comment, that's why I ask on this list. It should not be
enforced by a rule, but maintainers of PKGBUILDs should become a sense
of responsibility, so I mentioned it on this list.


Vote for apulse!
echo $(w3m https://aur.archlinux.org/packages/apulse |grep 'Votes:    ')
Votes: 82                         Updated: Tue Jul  4 09:32:57 CEST 2017

More information about the aur-general mailing list