-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/11/2014 05:40 PM, Taylor Hornby wrote: > The main mechanism for moving packages from the AUR into the official > repositories seems to be the "Vote for this package" mechanism. > Ideally, all packages would just be in the official repositories, and > there'd be no AUR. Obviously we don't have the resources for that, so > there needs to be some mechanism for prioritizing packages. > > Because you have to register an account to vote (and I didn't even > *know* about it until today), the voting mechanism is not effective at > filtering out the important packages from the sea of mostly-irrelevant > obscure packages, and it's certainly not a good indicator for package > quality. This means important packages are getting left behind in the > AUR even when all other Linux distributions include them in their > official repositories. > > Ultimately, relying on a vote-based popularity measurement too much is > hurting -- or is going to hurt -- Arch Linux. > > Take for example tahoe-lafs and tripwire, with 32 and 13 votes > respectively. > > https://aur.archlinux.org/packages/tahoe-lafs/ > > https://aur.archlinux.org/packages/tripwire/ > > These are extremely important tools. And, while they may not be popular > as measured by the voting system, they are widely used, and both are > included in Debian's official repositories. > > Instead of being able to quickly and easily install signed binaries with > `pacman -S`, a security-conscious user wanting one of these tools has to > manually inspect the PKGBUILDs for the packages themselves and many of > their dependencies to make sure that they're not malicious. And after > they do all that, they still have to trust insecure connections and MD5 > checksums. > > There needs to be an official channel for hearing reasoned arguments on > why a package should or should not be included in the real repositories, > and the unscientific vote count should come second. > > Is there such a thing? > > Thanks for reading, > Salutations, Packages don't reach the official repositories until they have enough sponsorship (by voting or devs pushing packages) and have been properly vetted. In addition, a security conscious user should be inspecting PKGBUILDS (via the ABS) instead of just taking packages as is. Compiling the packages via the ABS is further step. Regards, Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlNIY30ACgkQZ/Z80n6+J/ZiNAD+N+KWUv9oIzn/HBJPIYq2LJ+V Ca0eJ6FbbH9DceXUWiQA/RNsBzO0Aq+MLdoHrcS5oJ7TFv9VQ96/PLzgUGIbQ4Ti =DHkF -----END PGP SIGNATURE-----
