Re: [arch-dev-public] AUR ToS (aka making AUR user names public)

2017-03-05 Thread Thorsten Töpper 
On Sun, 05 Mar 2017 14:35:05 +0100
Lukas Fleischer  wrote:

> Hi,
> 
> I was recently contacted by a Polish researcher asking for a list of
> AUR account names. I did not expect this to be controversial but a
> couple of Trusted Users raised concerns on IRC, so I decided to move
> this to the public mailing list and discuss the whole topic in
> generality. I would like to head more opinions but please read the
> whole email and give it a second thought before simply bringing up
> the usual privacy arguments mentioned below.
> 
> My original questions was: Are we fine with sharing the list of AUR
> accounts names (only user names, no real names or email addresses)
> with a researcher that seems trustworthy and agrees to not share the
> data in any form other than the resulting anonymized statistics?
> 
> In this particular case, we are talking about Dorota Celinska [1] from
> the University of Warsaw, Faculty of Economic Sciences [2], see [3]
> for a list of her publications and [4] for a summary of her research
> project funded recently by the Polish National Science Centre. She
> needs the list of user names to perform a segmentation analysis,
> including users which were active on the older AUR releases both do
> not show any activity on AUR 4. She would also like to use the user
> names as identifiers to establish connections with other platforms,
> such as GitHub.
> 
> The next question is: Would it make sense to even make this data
> publicly available? Would it make sense to extend our RPC interface
> such that one can search for users names? GitHub, for example, already
> provides such an interface [5]. Let me quickly summarize some
> arguments for this idea which came up on IRC:
> 
> * User names are mostly identifiers. It is questionable whether they
>   can/should be considered personal/private information. Maybe this
> can only be answered by a lawyer, though.
> 
> * The user names of all accounts with any kind of public activity,
> like uploading a package, filing a request, writing a comment, are
> public already.
> 
> * After logging into the aurweb interface, you can already check
> whether an account with a given user name exists because the account
> details page URIs have the form
> https://aur.archlinux.org/account/$username. This means that for any
> platform providing a list of user names (such as GitHub), you can
> "establish connections" with the AUR already.
> 
> Now the arguments against:
> 
> * Principle of data economy: We should not share any kind of
> information we do not need to share.
> 
> * Sharing user names lowers the threshold for sharing other
> information which is considered more confidential.
> 
> * Users can (and should) already use crawlers to fetch the user names.
>   For example, the user names of all package maintainers and comment
>   authors appear on the package details pages. The names of all users
>   filing package requests appear in the mailing list archives etc.
> 
> * We do not have ToS so we better not share anything.
> 
> I, personally, find the second last argument a very weak one. Telling
> users to build crawlers scraping an brute-forcing our HTML pages makes
> life difficult for both them and us. What do you think?
> 
> On the other side of the coin, the last argument is a very good one
> and it brings me to my last point. Independently of the outcome of
> this discussion, I think we should add some ToS that users need to
> agree upon when registering. It should contain information on
> liability and on privacy. Is anybody willing to write a draft? Do we
> need the support of a lawyer here?
> 
> Thank you for your time and have a nice Sunday!
> 
> Regards,
> Lukas
 

Hello,

As stated in IRC I'm against handing out user data (including nick
names) to a 3rd party. Personally due to mentioned privacy stuff, but
also the legal problems we may run into as we don't have a ToS. So
under these circumstances I have a bad feeling being making these
information available to someone else even if the person leaves a proper
impression.

Regarding the crawler I put in as a work around for the researcher
party to collect the already available public names I don't understand
why you extend this to brute forcing the account pages or going
through archives of the mailing list. The suggestion I made was that
it's simple to collect a list of all packages stored in AUR and then
get the common fields of original submitter, maintainers and people who
made comments for each package. Either by using a plain GET to request
the HTML page for the package or using the interfaces available (I'm not
familiar with those and what they provide). This does not involve any
brute force attacks as the package names are available. Also for the
scripts doing this no login necessary.

The names gathered this way are already public and can be found with
every large search engine. Sure this will create some load, but I
assume any reasonable person would put a

Re: [arch-dev-public] Long out of date packages

2016-10-23 Thread Thorsten Töpper 
On Thu, 20 Oct 2016 14:25:02 +0200
Florian Pritz via arch-dev-public  wrote:

...
> ttoepper:
> community/x86_64/confuse

Disowned the package.


pgpGqPWvbUH05.pgp
Description: OpenPGP digital signature

Re: [arch-dev-public] ANNOUNCEMENT: pacman hooks

2016-03-23 Thread Thorsten Töpper 
On Wed, 23 Mar 2016 13:30:45 +1000
Allan McRae  wrote:

> Hi all,
> 
- snip -
> 
> --DRAFT--
> Required update to pacman-5.0.1 before 2016-04-17
> 
> The release of pacman-5.0 bought support for transactional hooks.
> These will allow us to (e.g.) run font cache updates a single time
> during an update rather than after each font package.  This will both
> speed up the update process, but also reduce packaging burden for the
> Developers and Trusted Users.
> 
> In order for the use of hooks to be started, we require all users to
> have updated to at least pacman-5.0.1 before 2016-04-23. Pacman-5.0.1
> was released on 2016-02-23, so this will have given everyone two
> months to update their system.
> --END DRAFT--
> 
> Comments?
> 
> Allan

Hi Allan,

looks good except for the date. April 17 or 23? Probably the latter.

Cheers,
Thorsten


pgpckBXWXPHQP.pgp
Description: OpenPGP digital signature

Re: [arch-dev-public] [signoff] linux-3.8.11-1

2013-05-02 Thread Thorsten Töpper 
On Thu, 02 May 2013 19:24:01 +0200
Tobias Powalowski tobias.powalow...@googlemail.com wrote:

 Hi guys,
 please signoff 3.8.11 series for both arches.
 package is not in testing, please grab it from here:
 http://dev.archlinux.org/~tpowa/linux/
 
 This will move to [core] directly, because 3.9.0 is in [testing].
 
 greetings
 tpowa

Sign off x86_64, works fine on a x200 Thinkpad.


signature.asc
Description: PGP signature

Re: [arch-dev-public] Unannounced mass edit of community PKGBUILDs

2012-10-25 Thread Thorsten Töpper 
On Thu, 25 Oct 2012 10:07:09 +0300
Evangelos Foutras evange...@foutrelis.com wrote:

 I noticed that all of my community packages were modified by r78782
 [1] (Full pkgdesc cleanup for 2339 packages).
 
 This was not discussed beforehand as it should. I would have been
 against it and we probably would have saved ourselves lots of unneeded
 noise in the repository.
 
 Besides the obtrusiveness of this commit, there were a couple more
 issues:
 
 - Indentation of pkgdesc inside package_*() functions was lost
 - Double quotes were changed to single quotes even though
 /usr/share/pacman/PKGBUILD.proto uses single quotes
 
 Whether or not it is a good idea to automatically try and correct
 slightly wrong package descriptions (in my opinion it's not worth it),
 the lack of communication is unacceptable.
 
 I went ahead and reversed the changes moments ago so the whole thing
 is now a noop.
 
 Please let's not do this again. :)
 
 [1]
 https://projects.archlinux.org/svntogit/community.git/commit/?id=9f040fd30a39c05d750d670ca40fc80f6c648b71

As all of my packages were also part of this commit, it'd really be nice
to be told about the reason for this. Because it were not just the pure
quotes but also the content of the description.

https://projects.archlinux.org/svntogit/community.git/diff/john/trunk/PKGBUILD?id=9f040fd30a39c05d750d670ca40fc80f6c648b71

It is not wanted for packages to contain the package name in the
description and this is right for almost every package, yet in my
opinion the package john is one of the few exceptions. The program
sources and binaries are a plain john, yet the project itself is best
known as John The Ripper. So most people will probably search for
this and not just john when they need this tool. If this shall not be
the case I don't have a problem with removing the project name from the
description but stripping the name with a small script is not right.

Evangelos, thank you for reversing this commit and bring attention to
it.

-- 
Jabber: atsut...@freethoughts.de Blog: http://atsutane.freethoughts.de/
Key: 295AFBF4 FP: 39F8 80E5 0E49 A4D1 1341 E8F9 39E4 F17F 295A FBF4


signature.asc
Description: PGP signature