Closed tazer4 closed 1 year ago
alexheretic
commented
3 years ago I think this is explained fairly well in the readme, essentially it's about automatic updates of aur packages & a maintainer trust system.
If you don't want auto-updates or want them done in some custom way I would indeed suggest using aurutils directly.
tazer4
commented
3 years ago Thanks that explains it, I personally don't require this function, and arnt gpg keys in place for verifying packager trust already? As for auto update if one wanted couldn't they just add a simple cron job or systemd timer to launch 'aur sync -u'? I don't want to put down your work, I hope you take it as constructive critism. Perhaps ditch the maintainer trust thing cause it doesn't verify anything really or work in a different way perhaps linked to their pgp key somehow.
alexheretic
commented
3 years ago Gpg verification isn't required in the aur so can't be relied upon in the same way.
One motivating example is a package being orphaned then picked up by someone new. In this case they could just remove any gpg validation keys from the pkgbuild. Here the maintainer trust system requires the new maintainer to be manually oked.
Overall it's a quite limited layer of security, but better than nothing (which is still an option as the system can be disabled). I imagine it can be improved.
Regarding just using your own systemd timer, that's what this project
essentially is (along with the maintainer trust & simple to use aurto
command). I don't see a problem with the project being simple & having a
narrow scope, actually these are positives to me.
On Fri, 11 Jun 2021, 00:22 TaZeR, @.***> wrote:
Thanks that explains it, I personally don't require this function, and arnt gpg keys in place for verifying packager trust already? As for auto update if one wanted couldn't they just add a simple cron job or systemd timer to launch 'aur sync -u'? I don't want to put down your work, I hope you take it as constructive critism. Perhaps ditch the maintainer trust thing cause it doesn't verify anything really or work in a different way perhaps linked to their pgp key somehow.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/alexheretic/aurto/issues/60#issuecomment-859149695, or unsubscribe https://github.com/notifications/unsubscribe-auth/AARZHVZUOJ2RU4W2DWGUTHDTSFCJRANCNFSM46GYSVQA .
tazer4
commented
3 years ago @alexheretic you make some good points, maybe some of this can actually be merged with the master aurutils branch. I don't know how those kinds of collaborations are conducted but that might be something to explore.
AladW
commented
2 years ago I think aurutils and aurto have different audiences. Former is a toolset to adapt to AUR workflows, latter more of an "install and forget" solution.
Apart from that if https://github.com/alexheretic/aurto/issues/43 is solved somehow, I guess it could be made into an aur-trust.
I don't quite understand the project here, seem's like all it does is setup the custom repo and runs its limited commands through aurutils, why not just use aurutils without this from the start?