[aur-general] TU Application: Daniel Bermond (dbermond)
scimmia at archlinux.org
Sun Oct 14 21:47:34 UTC 2018
On Sun, 14 Oct 2018 23:38:54 +0200
Baptiste Jonglez <baptiste at bitsofnetworks.org> wrote:
> On 14-10-18, Doug Newgard via aur-general wrote:
> > Decided to take a quick look at your PKGBUILDs, and just a few spot checks
> > makes me wonder. The first one I click on is apache-flex-sdk, I see that you
> > aren't the original submitter, so I look at the git log and see that the first
> > thing you did when taking over this was to remove pgp checks from the source.
> > WTF. Look at the PKGBUILD, see a totally useless prepare function, ok, not a
> > big thing. Let's check another one, clicked on flif, see msg2s being used for
> > no reason and bad conflicts. Click on a couple more, see that those issues
> > aren't mistakes, they're a fundamental misunderstanding.
> > Maybe my perception was colored by that really bad decision to remove the pgp
> > checks, and while the PKGBUILDs are mostly fine, there seems to be things about
> > packaging that you don't understand yet. Is it time to become a TU already?
> Well, as always, you could start by not being immediately aggressive
> towards people.
Please read my email again, it was not aggressive in any way. My response to
your candidate would be aggressive, I'm still deciding if I want to actually
> Judging from the handful of PKGBUILDs I've read, the quality is really
> high overall, they don't even have most of the "classical" small mistakes
> (there is source renaming when needed, etc). We don't require new TUs to
> do everything perfectly, and nothing is ever perfect anyway. There's
> always something new to learn.
I'm not talking about expecting perfection, I'm seeing consistent issues that
point to a possible misunderstanding on how packaging is handled. That is a
cause for concern and worth being brought up.
> Regarding the PGP checks, there is no question that they are very useful
> and desirable for packages in our repositories. I am sure that Daniel
> will make efforts to add PGP checks wherever possible when he moves
> packages to [community]. But for the AUR, the situation is a bit
> different (in my opinion) because I know it throws some people off when
> they don't know that they have to import a PGP key to build the package.
> I tend to include them anyway now, but I would understand that somebody
> would like not to.
The situation in the AUR is no different at all. Downgrading PKGBUILDs to
appease users who don't want to learn anything is is a serious problem and is a
cause for grave concerns.
> Anyway, for the specific case of apache-flex-sdk, look at the comments:
> the signing key simply seemed to have expired.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the aur-general