The main mechanism for moving packages from the AUR into the official
repositories seems to be the "Vote for this package" mechanism.
Ideally, all packages would just be in the official repositories, and
there'd be no AUR. Obviously we don't have the resources for that, so
there needs to be some mechanism for prioritizing packages.
Because you have to register an account to vote (and I didn't even
*know* about it until today), the voting mechanism is not effective at
filtering out the important packages from the sea of mostly-irrelevant
obscure packages, and it's certainly not a good indicator for package
quality. This means important packages are getting left behind in the
AUR even when all other Linux distributions include them in their
official repositories.
Ultimately, relying on a vote-based popularity measurement too much is
hurting -- or is going to hurt -- Arch Linux.
Take for example tahoe-lafs and tripwire, with 32 and 13 votes
respectively.
https://aur.archlinux.org/packages/tahoe-lafs/
https://aur.archlinux.org/packages/tripwire/
These are extremely important tools. And, while they may not be popular
as measured by the voting system, they are widely used, and both are
included in Debian's official repositories.
Instead of being able to quickly and easily install signed binaries with
`pacman -S`, a security-conscious user wanting one of these tools has to
manually inspect the PKGBUILDs for the packages themselves and many of
their dependencies to make sure that they're not malicious. And after
they do all that, they still have to trust insecure connections and MD5
checksums.
There needs to be an official channel for hearing reasoned arguments on
why a package should or should not be included in the real repositories,
and the unscientific vote count should come second.
Is there such a thing?
Thanks for reading,
--
Taylor Hornby
