Comment by dualvariable

2 days ago

That is a terrible way to run a package repo in this day and age.

Maintainers need to have some level of vetting, and should own a repo or three for a while to establish a track record, before they get to blast out contributions to 100 of them without any review.

10 comments

dualvariable

Reply
Gormo  2 days ago

AUR isn't a package repo. It's a collection of user-contributed PKGBUILD scripts, to make building packages from upstream source distributions more convenient. It's not meant to be treated like an official repo of binary packages.

  • dualvariable  2 days ago

    That's a semantic detail based on the choice of build from source over binary distribution.

    This is also a terrible way to run a package build system in this day and age as well, if you like. I feel exactly the same way about it, and when I wrote that I understood what it was, so I didn't need that helpful correction (I first used the FreeBSD ports system sometime around the turn of the millennia).

    • embedding-shape  2 days ago

      > That's a semantic detail based on the choice of build from source over binary distribution.

      It's not, AUR is more like GitHub, anyone can upload content there, not like a proper repository where things are reviewed, verified and cared for.

      You're complaining about "curl https://random-website.com | bash" being "a semantic detail" while it's a major difference in how much trust you can put into it. If you don't trust random-website.com, you shouldn't trust AUR packages. But very different from BSD Ports or Arch's official repositories.

      6 replies →