[aur-general] TU Application: Morten Linderud

Morten Linderud morten at linderud.pw
Wed Sep 6 00:07:37 UTC 2017 

On Tue, Sep 05, 2017 at 05:33:09PM +0200, Levente Polyak wrote:
> > During last years Chaos Communication Congress I got in touch with anthraxx and
> > shibumi. They introduced me to their security meet up along with jelle and
> > rgacogne. This ended up with me assisting the reviewing of security advisories,
> > and i have now added as a CVE reporter to the team.
> > 
> 
> I can confirm that this happened, and we are happy to have you around
> for security stuff.
> 
Thank you for everything!

> Now, i'm going to take a look at your AUR... Let the hunt begin *giggle*
> 
D:

> archur-git:
> - VCS package missing provides/conflicts
> 
Fixed!

> bmusb:
> - would me more error prone and convenient to keep pkgver in sync when
>   using a pkgver() function for pinned commits and f.e. do:
>       git describe --always | sed 's/^v//;s/-/./g'
> - url variable points to a 403 page
> 
Fixed apart from the pkgver(). Not sure about the intention of keeping the
pkgver in sync with the commit hash. 


> buildah-git:
> - VCS package missing provides/conflicts
> - license can be changed to 'Apache' as that is already in common
>   licences and points to version 2.0
> - clone URL could use TLS via git+https
> 
Fixed!

> cryptomator:
> - cryptomator.sh should use quotes for $PATH as it may contain spaces
> 
Fixed!

> cubemap:
> - VCS package missing provides/conflicts
> - source name must contain something unique for current tarball like
>   commit hash otherwise it collides with an existing download of a
>   previous version and just fails on checksum matching
> - fails to build: configure: error: Package requirements (libsystemd)
>     were not met, seems to require it
> 
It's not a VCS package. So a little unsure what you mean with that. Rest was
fixed with eschwartz comments. Just forgot to push.

> dep-git:
> - VCS package missing provides/conflicts
> - clone URL could use TLS via git+https
> - use quotes for $PATH and $GOPATH as it could contain spaces
> 
Fixed!

> dmenu-extended:
> - VCS package not named dmenu-extended-git, either rename or
>   use a pinned commit (you promised that a year ago in the
>   comments *giggle* :P :D )
> - python packages should have a build function as its building
>   binary artifacts via setup.py and named function is needed in
>   the future to make py packages reproducible
> 
Fixed! Deletion request has been sent to the old package.

> jottalib:
> - uses static string in the source v0.5.1.tar.gz that can be replaced
>   by $pkgver
> - not an 'any' arch as it builds binary artifacts
> - seems to contain lot of test cases run by travis, maybe try to include
> 
Fixed. The test cases will have to wait a little as it refers to "python"
instead of "python2", along with being hard forked quite recently.

> molecule
> - URL pin-points to 2.0.0.rc12 (which isn't even used anymore)
> - would me more error prone and convenient to keep pkgver in sync when
>   using a pkgver() function for pinned commits and f.e. do:
>       git describe --always | sed 's/^v//;s/-/./g'
> - test cases could be run via tox
> - could build docs like txt and man via sphinx in doc folder
> - outdated since 20 hours, 2.0.4 release *giggle*
> 
Fixed, apart from the pkgver and this library needs itself installed to generate
docs. Need to figure out how this is done.

> nageru
> - 1.6.2 has been released
> 
Upstream dev forgot to update the archive on the page. Bugged him and got it fixed.

> protege-distribution:
> - try to build from source rather then redistribute precompiled binary
>   blobs
> 
Fixed!

> nodejs-how2:
> - could possibly be pulled via TLS https because why not :P
> - npm install package should forcefully fixup $pkgdir/usr file/dirs
>   as its a non-deterministic race condition bug that upstream still
>   fails to find and fix. It can lead to node_modules dir being world
>   writable and it contains code, f.e. line 26 :
> 
> https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/uglify-js#n26
> 
> 
All fixed!

> nerd-fonts-git:
> - VCS package missing provides/conflicts
> 
Fixed!

> python-anyconfig:
> - uses setuptools entrypoint functionality and therefor must hard depend
>   on python{,2}-setuptools instead of just makedepends
> - you could distribute the LICENSE.MIT file as MIT is not a common
>   included license
> - you could run tests via tox
> 
Fixed!

> python-gilt
> - package_python2-gilt() must depend on python2 instead of python
>   and python2-giturlparse instead of python-giturlparse
> - test cases could be run via tox, therefor all py2+3 dependencies
>   should be added to checkdepends and tox be invoked
> - could build docs like txt and man via sphinx in doc folder
> 
Fixed.
The documentation requires gilt installed to be generated. So unsure how that
should be done. I have to look closer at this.

> python-marshmallow:
> - test cases could be run via tox, therefor all py2+3 dependencies
>   should be added to checkdepends and tox be invoked
> - could build docs like txt and man via sphinx in doc folder
> - you could distribute the LICENSE.MIT file as MIT is not a common
> - 2.13.6 has been released
> 
sphinx requires a library called "sphinx_issues" for generating the docs.
Noted the package on my todo list. Rest has been fixed.

> python-vagrant:
> - test cases could be run
> - you could distribute the LICENSE.MIT file as MIT is not a common
> 
The testing is sorta peculiar as it requires vagrant and virtualbox(!) to run.
Haven't gotten the cases to run after installing them so I have to work a bit
more on this.

> python-testinfra:
> - test cases could be run via pytest and included in checkdepends
> - PBR_VERSION will fail if run with noextract as prepare() is skipped
> 
Fixed the PBR_VERSION issue. But the test cases requires docker to run, so I
have to spend some more time to see if it's worth adding the tests to this
package.

> python2-humanize:
> - python packages should have a build function as its building
>   binary artifacts via setup.py and named function is needed in
>   the future to make py packages reproducible
> - it depends on python while this is a python2 package
> - test cases and docs can be used if github sources are fetched instead
> 
Fixed!

> python-rofi:
> - should use prefixed source with $pkgname and $pkgver to have a unique
>   file per version and package as it may conflict with a global source
>   dest setup
> 
Fixed!

> python-pychromecast:
> - pkgdesc says "Library for Python 2 and 3 to..." how about including
>   python2 via a split package then? :P
> - python packages should have a build function as its building
>   binary artifacts via setup.py and named function is needed in
>   the future to make py packages reproducible
> - maybe include the examples directory in the docs?
> 
Fixed!

> xoutputd-git:
> - VCS package missing provides/conflicts
> - install mod 655 in bin file, is that on purpose or 755 expected?
> - makedepends on git missing
> - you could distribute the LICENSE file as MIT is not a common
> 
Fixed!

> tmux-resurrect:
> - must depend on tmux and bash
> 
Fixed!

> texcount:
> - no need to unzip it yourself, it works pretty well without prepare and
>   via bsdtar
> 
Fixed!


Thanks again anthraxx and eschwartz for the comprehensive reviews!

-- 
Morten Linderud

PGP: 9C02FF419FECBE16
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20170906/3e229da4/attachment.asc>

More information about the aur-general mailing list