Hi guys,
I really enjoy our status quo with AUR. This is the first user-repo in
the Linux world that is easy to talk to. Just compare to these Ubuntu's
PPAs that you first need to find and trust. I really prefer to run
yaourt -Ss package-i-am-looking-for, and not to Google for "arch linux
package-i-am-looking-for", then call repo-add, etc. Staying in the
console is a very big plus for me.
I am also satisfied with how AUR users keep it clean. Delete requests
(including binaries directly in the PKGBUILD!), merge requests, disown
requests... While there could be more automation involved, I do believe
AUR is the best user-repo I have ever used.
Lastly, I am OK to build the packages myself. After all, I see the
PKGBUILD, which is just simple code. Or even alternatively I see where
the binaries are downloaded from. If they are downloaded from the
upstream I am totally OK with that. Binaries built by AUR wouldn't be nice.
The process could also involve grabbing the files (or hashes) through
different Tor exit nodes and comparing them to make sure they're all the
same, and there's no attacker messing with the local Internet
connection.
This is the *only* improvement I could see for AUR. Not only trust
sha256sums provided by the maintainer, but also have a guarantee that
these sha256sums are validated by AUR. If they don't match - the package
is not available for download.
Anything else like binaries built by AUR itself, trusting the users,
finding their private repos etc. I do oppose.
Regarding the subject (Is Voting Effective?). Theoretically, packages
are picked from AUR to [community] according to the number of votes.
However, I have never seen anything like that. Any time a new Trusted
User candidate asks to join the team, they list packages that they want
to move from AUR to [community]. It's totally arbitrary. If there's no
one to be interested in maintaining the package, it remains in AUR. Fine
by me.
--
Kind regards,
Damian Nowak
StratusHost
www.AtlasHost.eu
