[aur-requests] [PRQ#11319] Request Rejected

Eli Schwartz eschwartz at archlinux.org
Mon May 7 10:10:10 UTC 2018

On 05/06/2018 01:08 PM, notify--- via aur-requests wrote:
> Request #11319 has been rejected by Eschwartz [1]:
> Checksums don't add security, that's why they're the "integrity
> check", not the "security check". Do you know how many [core] packages
> don't have PGP signatures available at all? Those are used on far more
> devices.

Really I should clarify. I've actually fought for the use of integrity
checksums more, e.g. unsuccessfully asking for --geninteg to default to
better checksums. Even a non-perfect fix is better than nothing, and
every bit helps.

I also prefer when using git sources to pin the #commit= instead of tags.

This wasn't my main reason for rejecting your request though, instead
this was:

> Granted, using PGP when available is always nice. But I don't see you
> screeching at the non-dkms package maintainer to fix *his* packages
> which don't use PGP either...
> So much for the "security flaw".

In the comments you complained that PGP is not used, but you're involved
with archzfs (and therefore hardly objective). What I find interesting
is the sheer gall in essentially saying we should forcibly orphan a
package because we don't like his checksum policies, then capping that
off by complaining about the lack of PGP *when archzfs does the exact
same thing*. And you're even involved with that and could fix it far easier.

archzfs may take 10 months to still not merge the fix for erroneously
depending on a specific pkgrel of the kernel, and the code may be nearly
as bad/unreadable as the average GNU project, or perhaps the output of
grub-mkconfig (a scarily apt comparison between two horrible
autogenerators)... but it seems to have a pretty fair track record of
*listening* and engaging in dialogue with users.

> As for maintainers taking "weeks for a simple update", not everyone
> can update the very day something is released, you get what you pay
> for and sometimes not even that in the AUR. This is why we offer
> maintainers grace periods, because otherwise no one would be able to
> maintain packages for more than two or three upstream updates before
> some overwrought individual throws a tantrum and claims the package
> for themselves.

This is really the only thing that matters at the end of the day.

> We can discuss this as and when that becomes relevant, but this is not
> even currently out of date...
> Your false complaint about security gets extra points taken off of my
> likelihood to care what you have to say.

False might be too strong a word, it's just hypocritical and
overinflated for the actual magnitude of the issue.

Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-requests/attachments/20180507/c8bad416/attachment.asc>

More information about the aur-requests mailing list