pikaur
pikaur copied to clipboard
actionless
Trust Management
interactively add AUR pkgs authors to whitelist, skip pkg or abort whole transaction
and notify if diff contains commits from authors different than previously installed
please give some opinions regarding it being enabled by default or not
I do not think this would be a useful feature. Especially in an github/gitlab/crowdsource era where anybody can contribute into project.
Please, can you do an example?
by "authors" i mean authors/commiters of aur repo, not of the original sourcecode repo
I am not an expert but only current maintainer can push changes to AUR.
This means, only when the maintainer changes, the commit author changes. And this happens rarely.
Most important, the issue's title (Trust Management) tells us it would be a security issue, a threat concern but change in commits' authors do not tell much about this topic:
- AUR stands for Arch User Repository, that's AUR users are aware...
- let we imagine we enable this feature and author is trusted, we can say "PKGBUILD is safe"; well, but this does not say anything about software itself, for the source code side!
I think if this is a security issue, it would be handled "upstream", by AUR system itself, by i.e. resetting vote count or popularity; in this way users are aware about "changes" compared to previous version...
I am not an expert but only current maintainer can push changes to AUR.
nope, you can have multiple contributors at the same time
but my point was more about the case when original author orphans the AUR package and next some other random person picks it up (it doesn't need any permission from the previous maintainer) and adds some weird stuff
Most important, the issue's title (Trust Management) tells us it would be a security issue, a threat concern but change in commits' authors do not tell much about this topic:
Trust != Security
it's simply about trusting some contributor's changes or not