[aur-general] Suggestion to add a pinned comment to PKGBUILDs of high risk vulnerable software

[NicoHood]

I want to point out another view from this situation:

What if an outdated package is moved to AUR and does not have a new
package with the replace=() variable? I personally had this several
times and those packages are still kept on the system.

This gave me some broken dependencies but also old software was kept on
my system. Beside the packages I manually installed from AUR this could
be a real security risk.

Shouldn't we warn the user when a package from the official repositories
move to AUR (or disappear completely)? Not every user checks his system
for dropped packages every day, so a warning in pacman would be nice.

About the original suggestion for the AUR:
I think its worth to have a pinned comment on the AUR page. The package
maintainer should add it if an user gives him the hint. If he doesnt
accept it a TU should check if the request is valid and pin the users
comment. This way we can help all the users. Maintainers unwilling to
fix security problems or ignoring/hiding them are not welcome to me.

~Nico

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20170704/2bdf42fe/attachment.asc>