On Tue, Jun 9, 2015 at 5:53 PM, Ido Rosen <i...@kernel.org> wrote: > I think some of the orphans on AUR are just maintained by multiple > people. The usage pattern is: > > Person A adopts, updates, and disowns. > Person B some time later notices it's out of date, adopts, updates, disowns. > > It seems perfectly reasonable to have multiple people maintain a > package over time this way. Maybe we just need better support for > this style of non-maintainership that isn't quite "orphaned"? Support > for multiple maintainers/collaborators like on GitHub repos? > (Outright owning a package in AUR prevents anyone else from updating > it.)
It also prevents a third party (Mallory) from taking it over and: (a) replacing it with something else (malware?); (b) preventing Alice and Bob from updating it; (c) requesting deletion; (d) [insert other harmful actions here]. > if someone wants to update a package faster than I can get to it […] You should use some service that would tell you about package updates, for example requires.io for Python, or RSS feeds. Will take 5 minutes to do it in many cases (to update pkgver and the checkums) -- Chris Warrick <https://chriswarrick.com/> PGP: 5EAAEA16