[aur-general] Tarball Guidelines

Mon Dec 6 15:20:06 CET 2010

Am Mon, 6 Dec 2010 00:26:22 -0500
schrieb keenerd <keenerd at gmail.com>:

> It's an experiment I've been working on for some time.  To appease
> Heiko I've removed all trace of personality and variety from the form
> message.

In most cases there's a reason for having binaries, icons and the like
in a package. And whether such a package actually has a bad quality or
its contents are necessary can't be decided by a bot.

It's pretty the same as the case when someone thought in the past it
was sufficient to just comparing two package names and to sending a
removal request for one of these packages just because a part of the
package names is equal without looking into these packages and without
reading the PKGBUILD.

So such a bot can probably help you to finding possible candidates with
a bad packaging quality, but you have to verify those packages by
yourself. So a bot should at the very most create a list of those
packages for you, but should definitely not write comments to AUR.

Then you should verify the packages on this list by looking into those
packages and reading the PKGBUILDs. Only if you then find a package
which really doesn't respect the policies you can post a comment for
this package manually or create another list with those packages and
let a bot sending the comments to the packages on this second list.

But having a bot sending such comments just because there's
one .desktop file or icon in the package is spam. And think about the
responses of the maintainers or other users to those comments. And
consider that this spam goes into the inboxes of up to hundreds of
people.

Btw., the QA in AUR is usually pretty good, because comments for a
package are usually written pretty fast by other users or TUs if a
package doesn't respect some guidelines, has bugs or a bad quality or
isn't trustworthy.

And if a maintainer doesn't respond to such comments or doesn't fix
those issues users usually send an orphan request to the mailing list to
be able to fix these issues themselves.

So there's usually no need for such a bot.

> I've also come across a bug in the AUR.  In short, the tarball URL
> provided by the RPC interface is different from the tarball taken from
> the html page.  The RPC tarball is *exactly* what was uploaded.  While
> the html tarball has been sanitized.  So let's say someone uploads
> something that is not even a tarball.  The AUR fixes this and pushed
> it to the html.  The RPC link goes to the original, and Mr Robot
> complains.  Human looks at html tarball and sees nothing wrong.
> Confusion abound.  I'll remove those comments.

I don't know how all the AUR scripts like yaourt, aurbuild, clyde etc.
retrieve the tarballs from AUR, whether they get it from the HTML or the
RPC interface. And I don't know how the HTML interface should sanitize
packages and what you actually mean with sanitize. But I had absolutely
no such problems with AUR packages, yet.

Heiko