[aur-general] TU Application: Morten Linderud
Levente Polyak
anthraxx at archlinux.org
Tue Sep 5 15:33:09 UTC 2017
On 09/05/2017 02:07 PM, Morten Linderud wrote:
> Hello Archers and Arch overlords!
>
> # Introduction:
> My name is Morten Linderud, or better known by Foxboron. I'm writing this
> application to join the TU team. My sponsor is Jelle van der Waa.
Yay :)
> During last years Chaos Communication Congress I got in touch with anthraxx and
> shibumi. They introduced me to their security meet up along with jelle and
> rgacogne. This ended up with me assisting the reviewing of security advisories,
> and i have now added as a CVE reporter to the team.
>
I can confirm that this happened, and we are happy to have you around
for security stuff.
Now, i'm going to take a look at your AUR... Let the hunt begin *giggle*
archur-git:
- VCS package missing provides/conflicts
bmusb:
- would me more error prone and convenient to keep pkgver in sync when
using a pkgver() function for pinned commits and f.e. do:
git describe --always | sed 's/^v//;s/-/./g'
- url variable points to a 403 page
buildah-git:
- VCS package missing provides/conflicts
- license can be changed to 'Apache' as that is already in common
licences and points to version 2.0
- clone URL could use TLS via git+https
cryptomator:
- cryptomator.sh should use quotes for $PATH as it may contain spaces
cubemap:
- VCS package missing provides/conflicts
- source name must contain something unique for current tarball like
commit hash otherwise it collides with an existing download of a
previous version and just fails on checksum matching
- fails to build: configure: error: Package requirements (libsystemd)
were not met, seems to require it
dep-git:
- VCS package missing provides/conflicts
- clone URL could use TLS via git+https
- use quotes for $PATH and $GOPATH as it could contain spaces
dmenu-extended:
- VCS package not named dmenu-extended-git, either rename or
use a pinned commit (you promised that a year ago in the
comments *giggle* :P :D )
- python packages should have a build function as its building
binary artifacts via setup.py and named function is needed in
the future to make py packages reproducible
jottalib:
- uses static string in the source v0.5.1.tar.gz that can be replaced
by $pkgver
- not an 'any' arch as it builds binary artifacts
- seems to contain lot of test cases run by travis, maybe try to include
molecule
- URL pin-points to 2.0.0.rc12 (which isn't even used anymore)
- would me more error prone and convenient to keep pkgver in sync when
using a pkgver() function for pinned commits and f.e. do:
git describe --always | sed 's/^v//;s/-/./g'
- test cases could be run via tox
- could build docs like txt and man via sphinx in doc folder
- outdated since 20 hours, 2.0.4 release *giggle*
nageru
- 1.6.2 has been released
protege-distribution:
- try to build from source rather then redistribute precompiled binary
blobs
nodejs-how2:
- could possibly be pulled via TLS https because why not :P
- npm install package should forcefully fixup $pkgdir/usr file/dirs
as its a non-deterministic race condition bug that upstream still
fails to find and fix. It can lead to node_modules dir being world
writable and it contains code, f.e. line 26 :
https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/uglify-js#n26
nerd-fonts-git:
- VCS package missing provides/conflicts
python-anyconfig:
- uses setuptools entrypoint functionality and therefor must hard depend
on python{,2}-setuptools instead of just makedepends
- you could distribute the LICENSE.MIT file as MIT is not a common
included license
- you could run tests via tox
python-gilt
- package_python2-gilt() must depend on python2 instead of python
and python2-giturlparse instead of python-giturlparse
- test cases could be run via tox, therefor all py2+3 dependencies
should be added to checkdepends and tox be invoked
- could build docs like txt and man via sphinx in doc folder
python-marshmallow:
- test cases could be run via tox, therefor all py2+3 dependencies
should be added to checkdepends and tox be invoked
- could build docs like txt and man via sphinx in doc folder
- you could distribute the LICENSE.MIT file as MIT is not a common
- 2.13.6 has been released
python-vagrant:
- test cases could be run
- you could distribute the LICENSE.MIT file as MIT is not a common
python-testinfra:
- test cases could be run via pytest and included in checkdepends
- PBR_VERSION will fail if run with noextract as prepare() is skipped
python2-humanize:
- python packages should have a build function as its building
binary artifacts via setup.py and named function is needed in
the future to make py packages reproducible
- it depends on python while this is a python2 package
- test cases and docs can be used if github sources are fetched instead
python-rofi:
- should use prefixed source with $pkgname and $pkgver to have a unique
file per version and package as it may conflict with a global source
dest setup
python-pychromecast:
- pkgdesc says "Library for Python 2 and 3 to..." how about including
python2 via a split package then? :P
- python packages should have a build function as its building
binary artifacts via setup.py and named function is needed in
the future to make py packages reproducible
- maybe include the examples directory in the docs?
xoutputd-git:
- VCS package missing provides/conflicts
- install mod 655 in bin file, is that on purpose or 755 expected?
- makedepends on git missing
- you could distribute the LICENSE file as MIT is not a common
tmux-resurrect:
- must depend on tmux and bash
texcount:
- no need to unzip it yourself, it works pretty well without prepare and
via bsdtar
cheers,
Levente
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20170905/05859db2/attachment-0001.asc>
More information about the aur-general
mailing list