[aur-general] Request for Public Review of REXPaint package

Kevin Morris kevr at 0cost.org
Sat Jul 31 21:20:48 UTC 2021 

That is absolutely insecure. Upstream should probably provide a
way to provide overrides to those files, which probably means also
dealing with prioritizing an override location over /usr/share
defaults.

Some packages have used /opt to do things like this in the past.
Personally, I try to avoid using /opt with system packages, because
it differentiates how things are organized for packages in the root
filesystem.

Some options would be things like: $HOME/.config/<package>/... or
some XDG directory for overrides.

Regards,
Kevin

On Sat, Jul 31, 2021 at 01:26:00PM +0000, Vince via aur-general wrote:
> Hi everyone!
> Thank you for the help on the the thread eariler, I found the advice
> and examples very useful. I have posted a request for review of my
> PKGBUILD over IRC, but I would appreciate any criticism here too.
> 
> I have uploaded the PKGBUILD, and two files that would come with it
> (launcher.desktop and launcher.sh). There are a couple decisions I
> made that are unconventional, so I'll list them here:
> 
> 1. As George suggested, I renamed my package from `rexpaint-bin` to
>    just `rexpaint`, since there are no sources available.
> 
> 2. The server hosting the program blocks Curl's user agent. As far as
>    I can tell, the convention is to use "Mozilla" as a user agent
>    instead. However, I have opted to use "PKGBUILD" as the agent, so I
>    avoid accidentally messing up any statistics that may be collected
>    upstream.
> 
> 3. I have used standard package permissions as far as I can tell,
>    except for `/usr/share/rexpaint/images`. The program saves data
>    into this directory, so it must be 777.
> 
> 4. I am not sure what to do with `/usr/share/rexpaint/data`. It
>    contains data such as fonts and palettes, which might be edited by
>    the user during usage. Right now I have assumed that the user will
>    not do that, so it is not listed in `$backup` and its mode is 755.
>    I have sent an email upstream asking about this, and am waiting for
>    a response.
> 
> 5. The program tries to write logs into the Working Directory
>    (`/usr/share/rexpaint`), but it cannot do this because I have set
>    its mode to 755. However, giving the everyone write permissions in
>    `/usr/share/rexpaint` seems insecure. Please advise.
> 
> As stated before, I have emailed upstream to ask if it's okay that I
> publish this packaging to the repositories. This is not required by
> the license, but I am too young to be making enemies, and it would be
> nice to have some upstream. I will publish it when I get the goahead,
> or if he takes more than 24h to reply.
> 
> All feedback is appreciated.
> 
> Thank you in advance,
> Vincent



-- 
Kevin Morris
Software Developer

Identities:
 - kevr @ Libera
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20210731/ff176a6f/attachment.sig>

More information about the aur-general mailing list