On Sun, 14 Oct 2018 23:38:54 +0200 Baptiste Jonglez <[email protected]> wrote:
> Hi, > > On 14-10-18, Doug Newgard via aur-general wrote: > > Decided to take a quick look at your PKGBUILDs, and just a few spot checks > > makes me wonder. The first one I click on is apache-flex-sdk, I see that you > > aren't the original submitter, so I look at the git log and see that the > > first > > thing you did when taking over this was to remove pgp checks from the > > source. > > WTF. Look at the PKGBUILD, see a totally useless prepare function, ok, not a > > big thing. Let's check another one, clicked on flif, see msg2s being used > > for > > no reason and bad conflicts. Click on a couple more, see that those issues > > aren't mistakes, they're a fundamental misunderstanding. > > > > Maybe my perception was colored by that really bad decision to remove the > > pgp > > checks, and while the PKGBUILDs are mostly fine, there seems to be things > > about > > packaging that you don't understand yet. Is it time to become a TU already? > > > > Well, as always, you could start by not being immediately aggressive > towards people. Please read my email again, it was not aggressive in any way. My response to your candidate would be aggressive, I'm still deciding if I want to actually send that. > > Judging from the handful of PKGBUILDs I've read, the quality is really > high overall, they don't even have most of the "classical" small mistakes > (there is source renaming when needed, etc). We don't require new TUs to > do everything perfectly, and nothing is ever perfect anyway. There's > always something new to learn. I'm not talking about expecting perfection, I'm seeing consistent issues that point to a possible misunderstanding on how packaging is handled. That is a cause for concern and worth being brought up. > > Regarding the PGP checks, there is no question that they are very useful > and desirable for packages in our repositories. I am sure that Daniel > will make efforts to add PGP checks wherever possible when he moves > packages to [community]. But for the AUR, the situation is a bit > different (in my opinion) because I know it throws some people off when > they don't know that they have to import a PGP key to build the package. > I tend to include them anyway now, but I would understand that somebody > would like not to. The situation in the AUR is no different at all. Downgrading PKGBUILDs to appease users who don't want to learn anything is is a serious problem and is a cause for grave concerns. > > Anyway, for the specific case of apache-flex-sdk, look at the comments: > the signing key simply seemed to have expired. > > Baptiste
pgpjvhAnzG3Ge.pgp
Description: OpenPGP digital signature
