On Sun, Jan 16, 2022 at 7:07 AM <info@sick.codes> wrote: > > Thanks for pointing that out Jonathon, Ill fix it tomorrow, as I have done in > the past when requested changes. > > I have concerns about the intent of the user requesting the deletion; for > some unknown reason the request came out of thin air to an actively > maintained package, created a duplicate -git, removed all Contributors to the > header comment, then filed a merge request, which was merged even after > changes had been made. > > env25 suggested I add pkgver. I took the users word for it and the user did > not cancel the original merge request which moved all the history of non git > to the git repo. It was approved as I wasn’t subscribed at the time to the > mailing list, and didn’t respond on the list. I certainly responded in the > comments however, as per the guidelines. >
I did not suggest adding pkgver(). I said a proper VCS package also needs pkgver(). I never suggested any changes. Even if I did, it is you who added the change. > Env25 was a brand new account but knew everything about the AUR which can > insinuate multiple conclusions. > What are you insinuating? Please stop this useless discussion. > All I care about is the security of the package. The package history which I > have kept in absolute full had been dormant since 2017. I decided to revive > it after almost 5 years and I’m actively maintaining it. > > I have no attachment to the package, however I’m just concerned for the > security of the package which at the time was from a brand new user, yet knew > everything about the AUR process. > I made you a co-maintainer for anbox-modules-dkms-git. The original package was a VCS package that did not have a -git suffix. You changed to pin a specific commit just to keep an unneeded package there, it does look like you are attached to the package. > The most appropriate thing to do is merge the -git package back into non git, > which restores all the comment history including Fabio’s original suggestions > to fix, to which I addressed. > > Then env25 should recreate the git package as all of the historical and > important comments were moved to the new one and make no sense as there’s now > no git history, no previous maintainer information, no changelog, nowhere to > submit PR, and does not respond to comments. > I wrote the PKGBUILD for anbox-modules-dkms-git from scratch, there's no need for Git history. > I don’t understand why eNV25 was in a rush to merge the package yet knows I’m > trivially contactable. > Your package was a VCS package. This request is separate. > Now wants to delete the pinned package, which helps nobody who wants to use > it. > What's the use for the pinned package? There is no use if you are just going to update it every commit. > That’s my security paranoid hat on, but I still don’t get the logic behind > why the user was in a rush to take over a highly maintained package. > I don't consider taking an old PKGBUILD and uploading it to AUR as is, a highly maintained package. > I added a forewarning to the wiki specifically to address security with the > package https://wiki.archlinux.org/title/Anbox#Security > > Regards, > > In good faith, > > Sick Codes of the Security Research Team @SickCodes > > https://sick.codes > https://github.com/sickcodes > https://twitter.com/sickcodes > https://www.linkedin.com/in/sickcodes/ > https://www.youtube.com/c/sickcodes > https://parler.com/profile/sickcodes/ > https://hackerone.com/sickcodes > https://bugcrowd.com/sickcodes > https://hub.docker.com/r/sickcodes > > > Jan 16, 2022, 04:21 by aur-requests@lists.archlinux.org: > > On 15/01/2022 19:00, Sick Codes via aur-requests wrote: > > anbox-modules-dkms follows last working commit with the patch for 5.10 > > anbox-modules-dkms-git follows master branch with sed instead of a patch > > > As of [1], anbox-modules-dkms is pinned to upstream commits. It is therefore > not a VCS package (and doesn't need a pkgver() function, so I'm not sure why > one was added). > > The sed and patch are now a moot point as 5.10 is no longer in the repos (and > looking at the discussion on [2] I'm not convinced either approach is the > correct one). > > [1] > https://aur.archlinux.org/cgit/aur.git/commit/?h=anbox-modules-dkms&id=d77ac721b2e845eb537f23f936287f8b6bbb0363 > [2] https://github.com/choff/anbox-modules/pull/1 > >
