[aur-requests] [PRQ#11319] Request Rejected

notify at aur.archlinux.org notify at aur.archlinux.org
Sun May 6 17:08:17 UTC 2018

Request #11319 has been rejected by Eschwartz [1]:

Checksums don't add security, that's why they're the "integrity
check", not the "security check". Do you know how many [core] packages
don't have PGP signatures available at all? Those are used on far more

Granted, using PGP when available is always nice. But I don't see you
screeching at the non-dkms package maintainer to fix *his* packages
which don't use PGP either...

So much for the "security flaw".

As for maintainers taking "weeks for a simple update", not everyone
can update the very day something is released, you get what you pay
for and sometimes not even that in the AUR. This is why we offer
maintainers grace periods, because otherwise no one would be able to
maintain packages for more than two or three upstream updates before
some overwrought individual throws a tantrum and claims the package
for themselves.

We can discuss this as and when that becomes relevant, but this is not
even currently out of date...
Your false complaint about security gets extra points taken off of my
likelihood to care what you have to say.

[1] https://aur.archlinux.org/account/Eschwartz/

More information about the aur-requests mailing list