On Apr 11, 2014 4:45 PM, Taylor Hornby ha...@defuse.ca wrote:
I'm saying: A single trusted person blindly building and singing
packages is more secure than everyone blindly building and signing
packages.
As others have said: users should not be blindly building and installing
packages. Friendly
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On , Taylor Hornby wrote:
I'd also argue that not all users know how to do that, and the process
is time consuming (especially when there are dozens of dependencies), so
it's effectively impossible for a subset of users.
There are tools which
On Saturday, April 12, 2014 02:28:55 Nowaker wrote:
Regarding the subject (Is Voting Effective?). Theoretically, packages
are picked from AUR to [community] according to the number of votes.
However, I have never seen anything like that. Any time a new Trusted
User candidate asks to join the
The main mechanism for moving packages from the AUR into the official
repositories seems to be the Vote for this package mechanism.
Ideally, all packages would just be in the official repositories, and
there'd be no AUR. Obviously we don't have the resources for that, so
there needs to be some
On Fri, Apr 11, 2014 at 2:40 PM, Taylor Hornby ha...@defuse.ca wrote:
both are
included in Debian's official repositories.
Debian has more packages than another distro that I am aware of. Last
I heard, it was around 30,000. That is one thing they do very well.
That's very much the polar
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 04/11/2014 05:40 PM, Taylor Hornby wrote:
The main mechanism for moving packages from the AUR into the official
repositories seems to be the Vote for this package mechanism.
Ideally, all packages would just be in the official repositories, and
On 04/11/2014 03:48 PM, Peter Baldridge wrote:
On Fri, Apr 11, 2014 at 2:40 PM, Taylor Hornby ha...@defuse.ca wrote:
both are
included in Debian's official repositories.
Debian has more packages than another distro that I am aware of. Last
I heard, it was around 30,000. That is one thing
Packages are included in the repositories if and only if a developer or
trusted user is interested in maintaining the package. In my opinion,
it's best for packages to be maintained by people who actually use and
care about them even if it means that they're in the AUR instead of the
official
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/11/2014 03:57 PM, Daniel Micay wrote:
Packages are included in the repositories if and only if a
developer or trusted user is interested in maintaining the package.
In my opinion, it's best for packages to be maintained by people
who
and the storage space comes
from to support this kind of repository?
Daniel
Date: Fri, 11 Apr 2014 16:06:40 -0600
From: ha...@defuse.ca
To: arch-general@archlinux.org
Subject: Re: [arch-general] Is Voting Effective?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/11/2014 03:57 PM, Daniel
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/11/2014 04:27 PM, Daniel Wallace wrote:
So you're saying... blindly trusting someone else that is unknown
to build and blindly sign a package is more secure than you
downloading the pkgbuild with cower or something, looking at the
PKGBUILD,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/11/2014 04:27 PM, Daniel Wallace wrote:
So you're saying... blindly trusting someone else that is unknown
to build and blindly sign a package is more secure than you
downloading the pkgbuild with cower or something, looking at the
PKGBUILD,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 04/11/2014 07:45 PM, Taylor Hornby wrote:
On 04/11/2014 04:27 PM, Daniel Wallace wrote:
So you're saying... blindly trusting someone else that is unknown
to build and blindly sign a package is more secure than you
downloading the pkgbuild
Hi guys,
I really enjoy our status quo with AUR. This is the first user-repo in
the Linux world that is easy to talk to. Just compare to these Ubuntu's
PPAs that you first need to find and trust. I really prefer to run
yaourt -Ss package-i-am-looking-for, and not to Google for arch linux
14 matches
Mail list logo
