[aur-general] Suggestion to add a pinned comment to PKGBUILDs of high risk vulnerable software

Ralf Mardorf ralf.mardorf at alice-dsl.net
Tue Jul 4 07:50:12 UTC 2017


On Tue, 4 Jul 2017 09:45:08 +0200, Ralf Mardorf wrote:
>On Tue, 4 Jul 2017 14:00:50 +0800, Oon-Ee Ng via aur-general wrote:
>>You could suggest it on the package's AUR page.  
>
>Hi,
>
>yes, I could ask to do it for dependent packages such as
>https://aur.archlinux.org/packages/xombrero/ even while I'm not using
>it.
>
>I could ask to do it for https://aur.archlinux.org/packages/qtwebkit/ ,
>https://aur.archlinux.org/packages/webkitgtk/ /
>https://aur.archlinux.org/packages/webkitgtk2 even while I'm not using
>those packages.
>
>Some maintainers simply are responsible without somebody mentioning it,
>e.g. https://aur.archlinux.org/packages/claws-mail-git/, btw. the only
>related PKGBUILD I'm using myself.
>
>Another package maintainer disabld webkit usage, after I informed
>about the issue and after I get in contact with upstream, who also will
>fix the issue, https://aur.archlinux.org/packages/guitarix-git/ . I'm
>not using this package, but install guitarix2 from official
>repositories.
>
>>By sending it to the ML, it looks like you're trying to discuss or
>>push for a general decision.  
>
>Actually there could be PKGBUILDs where I'm not aware of the issue, so
>I can't add a comment, that's why I ask on this list. It should not be
>enforced by a rule, but maintainers of PKGBUILDs should become a sense
>of responsibility, so I mentioned it on this list.
>
>Regards,
>Ralf
>

PS: Maybe Claws from git still builds using with webkit, if it#s
installed, but it's not a dependency.

-- 
Vote for apulse!
echo $(w3m https://aur.archlinux.org/packages/apulse |grep 'Votes:    ')
Votes: 82                         Updated: Tue Jul  4 09:48:53 CEST 2017


More information about the aur-general mailing list