Hey Christian! On 2019-02-25 6:21 PM, Christian Rebischke via aur-general wrote: > 1. Can you describe in a few sentences how you build your packages for > the AUR and for your own repository?
For the AUR: I just run makepkg -i and makepkg --printsrcinfo > .SRCINFO. I keep it pretty casual for the AUR. For my own repository: I have a script called pkgkit[0] which automates some of the work. It automatically takes care of things like bumping pkgrel & checksums, common sources of human error. Then I submit it to my CI with this[1] build manifest, which boots up a fresh Arch Linux VM to build the package on, and uploads it to my repo. [0] https://git.sr.ht/~sircmpwn/sr.ht-pkgbuilds/tree/master/pkgkit [1] https://git.sr.ht/~sircmpwn/sr.ht-pkgbuilds/tree/master/build.yml > 2. How do you keep track of updates of upstream software? Do you use a > specific software for it? Which one? For the AUR I don't keep up with upstream releases, I just wait for someone to mark the package as outdated. For Alpine Linux I use a combination of subscribing to the upstream -announce mailing list and subscribing to GitHub releases as appropriate; would do something similar for Arch Linux community. > 3. Do you plan to socialize with the community? If yes: on which > plattforms? If no: why? Sure, and I already do some. Just on IRC. > 4. What do you like about Arch Linux at most? What do you hate about it? > (You can be open here, I will not judge ^___^) I like that everything is up to date and for the most part Just Werks. I dislike glibc and systemd, but we needn't take that particular flamewar any further than that. > 5. Are you willing to attend real-life meetups on conferences like > FrosCon, CCC, etc? Yep. I met many Arch Linux developers at FOSDEM a few weeks ago. > 6. Do you have any experience with security? This is a pretty broad and open ended question. I suppose my answer is "yes"? > 7. A user opens a bug report, where the user reports a security > vulnerability in one of your packages. The security vulnerability is > unknown and seems to be a 0-day. How do you react? I let upstream know about the issue and then hand them the reins. I consider security vulnerability an upstream problem and delegate authority on how to proceed to them. When a fix is available I'll ship it in my Arch package. I'm not really into the whole responsible disclosure aka pressuring upstream into fixing it yesterday kind of approach. > Thats all from me. Thanks for your hard work with sway btw :) :)
