Apologies, this mail went out to the wrong list.
Am 19.03.26 um 21:54 schrieb kleines Filmröllchen:
Hello all,
this issue has been on my mind for a while, but I haven’t bothered to
write to the mailing list about it until now.
Before Muflone took over maintainership of the davinci-resolve
packages (including davinci-resolve-studio and davinci-resolve-beta),
the PKGBUILD would automatically download the upstream package from
Blackmagic’s website. While Resolve is proprietary, the non-Studio
version (and the beta) are freely available, requiring not even a
proper login with the vendor. The download link on the website
(https://www.blackmagicdesign.com/products/davinciresolve ) is behind
a “registration” form, but this does not create a user account and to
the best external knowledge, the data entered here is never verified
in any way. Therefore, previous versions of the AUR package either
used a download link obtained by the maintainer after filling out the
form with arbitrary data, or replayed the form submission with fixed
data during prepare(), obtaining a new download link for the user.
Either way, the package contents are obviously always identical
(regular hashing applied). The same is true for packages retrieved
through the support center
(https://www.blackmagicdesign.com/support/family/davinci-resolve-and-fusion
), where in fact the Studio version (which requires a paid license)
does not require the submission of a form at all.
However, Muflone changed this behavior to instead require a
locally-downloaded version of the upstream package in all three cases.
The user reception for this was mixed, additionally caused by the
issue that AUR helpers need the upstream package file located in
special cache directories and not the current working directory.
Personally, I am strongly opposed to this change, but Muflone has
deflected criticism by pointing out that “Packages must not contain
black magic or unknown/hard to understand commands as users are
required to check the PKGBUILDs before installing/updating from AUR”
(https://aur.archlinux.org/packages/davinci-resolve?O=60#comment-1013733
).
While I agree in spirit, I disagree in this specific case. There are
multiple easy ways of obtaining the package that have been known for
some time; a review of the package commit history confirms this. On
the contrary, some of the changes required to make more technical
aspects of the package work properly will not be easy to understand
for users at times. Furthermore, a careful review of the AUR packages
reveals to me that this kind of direct download is perfectly allowed,
since in my opinion it doesn’t circumvent any real technical measures
by the upstream provider; see elaboration above: form contents are not
checked by the Blackmagic website, and sometimes skippable altogether.
I’m writing to the mailing list to gain clarification on the matter:
whether the manual download is actually more compliant with AUR rules
than what was happening previously (before commit
7351177b553aa3983163450822bf251ec7f7ab75), and whether the previous
approach was even in violation. If not, I’m not sure—if it’s possible
that the AUR maintainers can urge Muflone to change it back, that
would be excellent, but I don’t remember the AUR working that way.
Blocking Muflone and/or orphaning the package is also not a reasonable
approach, unless there is someone to step up to maintainership for the
package (unfortunately not me, as I don’t use Resolve frequently
enough, and often need to stay on older versions due to bugs
frequently introduced in new releases).
I hope I’m not overstepping any lines with this request, but as a user
of the package it is very annoying when a (new) maintainer degrades
the user experience for unclear/nebulous “rules compliance” and
refuses to engage in discussions about it. This is also the reason I
am writing here in the first place, I want to make it clear that I did
of course try to discuss this on the package comment page first; over
a year ago in fact. I also finally want to make it clear that this is
not about piracy of the Studio version in any way shape or form; while
the package download for it is still freely available from Blackmagic,
it’s less important to change the PKGBUILD as the software isn’t free
in the first place.
Greetings,
kleines Filmröllchen
