<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<div>Thanks for pointing that out Jonathon, Ill fix it tomorrow, as I have done in the past when requested changes.<br></div><div dir="auto"><br></div><div dir="auto">I have concerns about the intent of the user requesting the deletion; for some unknown reason the request came out of thin air to an actively maintained package, created a duplicate -git, removed all Contributors to the header comment, then filed a merge request, which was merged even after changes had been made.<br></div><div dir="auto"><br></div><div dir="auto">env25 suggested I add pkgver. I took the users word for it and the user did not cancel the original merge request which moved all the history of non git to the git repo. It was approved as I wasn’t subscribed at the time to the mailing list, and didn’t respond on the list. I certainly responded in the comments however, as per the guidelines.<br></div><div dir="auto"><br></div><div dir="auto">Env25 was a brand new account but knew everything about the AUR which can insinuate multiple conclusions.<br></div><div dir="auto"><br></div><div dir="auto">All I care about is the security of the package. The package history which I have kept in absolute full had been dormant since 2017. I decided to revive it after almost 5 years and I’m actively maintaining it.<br></div><div dir="auto"><br></div><div dir="auto">I have no attachment to the package, however I’m just concerned for the security of the package which at the time was from a brand new user, yet knew everything about the AUR process.<br></div><div dir="auto"><br></div><div dir="auto">The most appropriate thing to do is merge the -git package back into non git, which restores all the comment history including Fabio’s original suggestions to fix, to which I addressed.<br></div><div dir="auto"><br></div><div dir="auto">Then env25 should recreate the git package as all of the historical and important comments were moved to the new one and make no sense as there’s now no git history, no previous maintainer information, no changelog, nowhere to submit PR, and does not respond to comments.<br></div><div dir="auto"><br></div><div dir="auto">I don’t understand why eNV25 was in a rush to merge the package yet knows I’m trivially contactable.<br></div><div dir="auto"><br></div><div dir="auto">Now wants to delete the pinned package, which helps nobody who wants to use it.<br></div><div dir="auto"><br></div><div dir="auto">That’s my security paranoid hat on, but I still don’t get the logic behind why the user was in a rush to take over a highly maintained package.<br></div><div dir="auto"><br></div><div dir="auto">I added a forewarning to the wiki specifically to address security with the package <a target="_blank" rel="noopener noreferrer" href="https://wiki.archlinux.org/title/Anbox#Security">https://wiki.archlinux.org/title/Anbox#Security</a><br></div><div dir="auto"><br></div><div dir="auto">Regards,<br></div><div dir="auto"><br></div><div>In good faith,<br></div><div><br></div><div>Sick Codes of the Security Research Team <a target="_blank" rel="noopener noreferrer" href="https://twitter.com/sickcodes">@SickCodes</a><br></div><div><div><div><br></div></div><div><a href="https://sick.codes" rel="noopener noreferrer" target="_blank">https://sick.codes</a><br></div></div><div dir="auto"><a href="https://github.com/sickcodes" rel="noopener noreferrer" target="_blank">https://github.com/sickcodes</a><br></div><div dir="auto"><a href="https://twitter.com/sickcodes" rel="noopener noreferrer" target="_blank">https://twitter.com/sickcodes</a><br></div><div dir="auto"><a href="https://www.linkedin.com/in/sickcodes/" rel="noopener noreferrer" target="_blank">https://www.linkedin.com/in/sickcodes/</a><br></div><div dir="auto"><a href="https://www.youtube.com/c/sickcodes" rel="noopener noreferrer" target="_blank">https://www.youtube.com/c/sickcodes</a><br></div><div dir="auto"><a href="https://parler.com/profile/sickcodes/" rel="noopener noreferrer" target="_blank">https://parler.com/profile/sickcodes/</a><br></div><div dir="auto"><a href="https://hackerone.com/sickcodes" rel="noopener noreferrer" target="_blank">https://hackerone.com/sickcodes</a><br></div><div dir="auto"><a href="https://bugcrowd.com/sickcodes" rel="noopener noreferrer" target="_blank">https://bugcrowd.com/sickcodes</a><br></div><div dir="auto"><a href="https://hub.docker.com/r/sickcodes" rel="noopener noreferrer" target="_blank">https://hub.docker.com/r/sickcodes</a><br></div><div dir="auto"><br></div><div dir="auto"><br></div><div>Jan 16, 2022, 04:21 by aur-requests@lists.archlinux.org:<br></div><blockquote class="tutanota_quote" style="border-left: 1px solid #93A3B8; padding-left: 10px; margin-left: 5px;"><div>On 15/01/2022 19:00, Sick Codes via aur-requests wrote:<br></div><blockquote><div>anbox-modules-dkms follows last working commit with the patch for 5.10<br></div><div><br></div><div>anbox-modules-dkms-git follows master branch with sed instead of a patch<br></div></blockquote><div><br></div><div>As of [1], anbox-modules-dkms is pinned to upstream commits. It is therefore not a VCS package (and doesn't need a pkgver() function, so I'm not sure why one was added).<br></div><div><br></div><div>The sed and patch are now a moot point as 5.10 is no longer in the repos (and looking at the discussion on [2] I'm not convinced either approach is the correct one).<br></div><div><br></div><div>[1] https://aur.archlinux.org/cgit/aur.git/commit/?h=anbox-modules-dkms&id=d77ac721b2e845eb537f23f936287f8b6bbb0363<br></div><div>[2] https://github.com/choff/anbox-modules/pull/1<br></div></blockquote><div dir="auto"><br></div> </body>
</html>