[aur-general] TU Application - blakkheim

Thu Aug 25 18:14:21 UTC 2022

On Thu, Aug 25, 2022 at 08:43:38PM +0300, Leonidas Spyropoulos via aur-general wrote:
> > I'm the maintainer or co-maintainer for a few OpenBSD-derived packages
> > in the AUR: openiked, rpki-client, and openbgpd. I've been involved with
> > OpenBSD since 2014 and became a project committer there in early 2016.
> >
> > In the last two years I've submitted just over 150 patches to the Arch
> > bug tracker: https://bugs.archlinux.org/index.php?opened=32638&status[]=
>
> Many of these patches and bugs are switching to https and signed commits
> and given the limited AUR packages (3) you are involved as maintainer /
> co-maintaner I don't see a lot of PKGBUILDs to have a view on your
> packaging history.

Supply chain attacks are an area of interest for me, so getting more of
our packages to use secure downloads and PGP verification has been one
of my main focuses so far. When I first started building Arch packagees,
I did a fairly deep dive into the repositories to find anything that was
being pulled over HTTP or unencrypted git:// links. Some of the added PGP
verification has been a result of me convincing the upstream projects to
use it consistently. I think it's an effort worth pursuing.

My use of the AUR is somewhat limited, but the PKGBUILDs there should give
you a general idea of my familiarity.

> > Some community packages I'd like to co-maintain are openntpd, opensmtpd,
> > libressl, sndio, mandoc, signify, dnscrypt-proxy, bmake, scrot, firejail,
> > xcalib, mktorrent, parallel, ncmpcpp...
> 
> Some of these are with a sole maintainer which is great since they could
> be busy +1

I tried to pick ones with two or fewer maintainers. There are some others
I'd be glad to co-maintain, but didn't feel like it was necessary when they
had more than two maintainers already.

> > And more (frankly, lots more) in the core/extra repos if that option opens
> > up in the future. [..] If I'm accepted, one of my goals will be to get
> > missing security fixes into Arch's repository shortly after their upstream
> > release.
> 
> What stops you from opening bug report and submitting patches for those
> now without being a TU? If these are in core/extras your options would
> be the same as you have now, right?

As far as core/extra repos go, yes, I'll still be stuck submitting missing
security fixes through the bugtracker for the time being. My hope is to one
day gain access to those through becoming a developer, at which time I can
get a lot more work done and make a bigger positive impact. Becoming a TU
would be a good first step in that process though.

Thanks for your reply.