[aur-general] Trusted user application: Drew DeVault

Jerome Leclanche jerome at leclan.ch
Thu Feb 28 14:33:37 UTC 2019 

On Thu, Feb 28, 2019 at 3:26 PM Levente Polyak via aur-general
<aur-general at archlinux.org> wrote:
>
> On 2/28/19 2:58 PM, Jerome Leclanche wrote:
> > On Thu, Feb 28, 2019 at 12:51 PM Josef Miegl <josef at miegl.cz> wrote:
> >> Although I don't have high expectations when dealing with AUR packages, it is absolutely the maintainers job to keep track of upstream updates. This mindset is probably the reason why there is so much out of date stuff on the AUR. It strikes me that a maintainer who doesn't keep track of his own packages wants to become a TU.
> >
> > No, it is not, and please don't expect this of volunteers. The
> > responsibility goes as far as security (being made aware ASAP of
> > security issues in packages), but knowing in general when a release
> > happens is not (and/or shouldn't be) the TU's responsibility.
> > Most TUs do know when a release happens in at least a portion of their
> > packages, by nature of often maintaining packages they have some
> > working relationship with. But the flagging system is very useful in
> > crowdsourcing the non-security-sensitive portion of package
> > maintenance.
>
>
> I very strongly disagree on this, nobody forces a volunteer to
> _maintain_ a certain package, but If it is chosen by choice then keeping
> it up to date is a responsibility as well.
> As long as we do not have an automatic system in place it is one of the
> responsibilities to track it as good as possible!
> This doesn't make the out-of-date flag system non-useful, even when we
> would have our automatic flagging system in place, as it could slip
> through the radar or tracking like upstream may change the location for
> future releases.
> I frankly don't like the habit of "i don't give a darn to track, someone
> will flag it", this is bad practice, and the best we could agree on is
> that we strongly disagree.
>
> sincerely,
> Levente
>

We have TUs with hundreds of packages. Beyond automatic checks, do you
really expect they keep up with every single release?
I've myself updated several packages that were out of date (and
unflagged) in [community]. I'm not saying the attitude *should* be "I
don't give a damn", but in practice, I don't believe this expectation
you mention is in place (and moreover, I reiterate that I do not think
there should be such an expectation when it can very efficiently be
offloaded to scripts and users).

J. Leclanche

More information about the aur-general mailing list