On 11/3/21 03:42, Jonas Witschel wrote:
Opening a bug report with the necessary information is very simple,
With as much respect as I can textually apply, I would not describe the description that follows as "simple." Instead, I'll talk about my experiences with simple version bumps with something I need. Often it's a security patch, but sometimes it's a feature.
A simple version bump for a package is some time behind. I don't know why; web forums are poisonous and search generally lands on pages where someone is getting it wrong, and frankly stuff like that can't be found on bbs anyway. There's nothing in the bug reports. However simple version bump patches are not welcome, and the time I submitted one did not go well.
So what I've done for the last decade or so is snag the package out of asp, create a "pkgrel=0" package with the change, and get on with my life. When the official package comes out, my band aid goes away.
What does this have to do with the AVG? Haven't a clue, but it seems like it would be a nice thing if I could share my "clerical work" with the group without making it seem like I'm mad at the maintainer for living life and catching Dune on IMAX.
Now, I've encountered this situation less than a hundred times over my life with Arch, and the incidence is decreasing over time. It's rare enough that I barely register it as a problem, but people are talking about it so I figured I should speak up.
My crude idea about a way to update pkgver and *sums without spamming up the buglist was a way to address my experiences and (apparently) the experiences of other folks on the list.
If you are aware of any open security issues that are not yet included in the security tracker, we would love to hear about them! The easiest way to get in touch is the #archlinux-security IRC channel on Libera Chat, but see [2] for more ways of contact.
FWIW, I do not necessarily agree that there are security-specific issues involved here. All I mean is given the architecture of Arch, there are really easy ways to show what the problem is outside the aegis of AUR or the repos, if there *is* a problem.
If there isn't a problem, trying to organize the stated issues into actual solutions would make that clearer.
Finally, I would like to contest the assertion that users would need "a lot of local package updates for security fixes" in order to keep a secure system: looking at the open security issues in [1], the vast majority of these are unresolved upstream, so no package update will solve them.
This is a very mild microcosm of my experiences with Arch Linux, and why a thread about "a plea for communication" speaks to me. I installed Arch for the first time when I did something unspeakable to a macbook and needed something until I fixed it. Not too long after that every device I could make run Arch was running Arch. Technically, it's simple and magnificent.
Yet, as soon as a person is involved simple goes out the window. Most of my interfaces with the Arch team have always been challenging, and every time I dip my toe in I end up having someone "contest" what I'm saying in varying degrees. The only major package I maintain in AUR happened because I accidentally offended the TU who was maintaining the package.
There are a lot of unspoken rules to the Arch Linux community. More than I'm used to from a volunteer organization and I work 100% in the volunteer space. Thus far I have been unable to navigate it. Since Arch continues to make good technical decisions-- even when I disagreed with those decisions-- I decided to keep using it and just keep my trap shut.
When someone else seemed like they were facing the same issues I was, I decided to speak up. Then people started going on about how reddit is "cucked" and brigading on 4chan, so I probably should have continued with the trap shut business.
Nonetheless, you do good work and I thank you for it. -Sam
