[aur-general] Trusted user application: Drew DeVault

Mon Feb 25 17:37:29 UTC 2019

Hey Christian!

On 2019-02-25  6:21 PM, Christian Rebischke via aur-general wrote:
> 1. Can you describe in a few sentences how you build your packages for
> the AUR and for your own repository?

For the AUR: I just run makepkg -i and makepkg --printsrcinfo >
.SRCINFO. I keep it pretty casual for the AUR.

For my own repository: I have a script called pkgkit[0] which automates
some of the work. It automatically takes care of things like bumping
pkgrel & checksums, common sources of human error. Then I submit it to
my CI with this[1] build manifest, which boots up a fresh Arch Linux VM
to build the package on, and uploads it to my repo.

[0] https://git.sr.ht/~sircmpwn/sr.ht-pkgbuilds/tree/master/pkgkit
[1] https://git.sr.ht/~sircmpwn/sr.ht-pkgbuilds/tree/master/build.yml

> 2. How do you keep track of updates of upstream software? Do you use a
> specific software for it? Which one?

For the AUR I don't keep up with upstream releases, I just wait for
someone to mark the package as outdated. For Alpine Linux I use a
combination of subscribing to the upstream -announce mailing list and
subscribing to GitHub releases as appropriate; would do something
similar for Arch Linux community.

> 3. Do you plan to socialize with the community? If yes: on which
> plattforms? If no: why?

Sure, and I already do some. Just on IRC.

> 4. What do you like about Arch Linux at most? What do you hate about it?
> (You can be open here, I will not judge ^___^)

I like that everything is up to date and for the most part Just Werks. I
dislike glibc and systemd, but we needn't take that particular flamewar
any further than that.

> 5. Are you willing to attend real-life meetups on conferences like
> FrosCon, CCC, etc?

Yep. I met many Arch Linux developers at FOSDEM a few weeks ago.

> 6. Do you have any experience with security?

This is a pretty broad and open ended question. I suppose my answer is
"yes"?

> 7. A user opens a bug report, where the user reports a security
> vulnerability in one of your packages. The security vulnerability is
> unknown and seems to be a 0-day. How do you react?

I let upstream know about the issue and then hand them the reins. I
consider security vulnerability an upstream problem and delegate
authority on how to proceed to them. When a fix is available I'll ship
it in my Arch package. I'm not really into the whole responsible
disclosure aka pressuring upstream into fixing it yesterday kind of
approach.

> Thats all from me. Thanks for your hard work with sway btw :)

:)