On Tue, Sep 05, 2017 at 05:33:09PM +0200, Levente Polyak wrote: > > During last years Chaos Communication Congress I got in touch with anthraxx > > and > > shibumi. They introduced me to their security meet up along with jelle and > > rgacogne. This ended up with me assisting the reviewing of security > > advisories, > > and i have now added as a CVE reporter to the team. > > > > I can confirm that this happened, and we are happy to have you around > for security stuff. > Thank you for everything!
> Now, i'm going to take a look at your AUR... Let the hunt begin *giggle* > D: > archur-git: > - VCS package missing provides/conflicts > Fixed! > bmusb: > - would me more error prone and convenient to keep pkgver in sync when > using a pkgver() function for pinned commits and f.e. do: > git describe --always | sed 's/^v//;s/-/./g' > - url variable points to a 403 page > Fixed apart from the pkgver(). Not sure about the intention of keeping the pkgver in sync with the commit hash. > buildah-git: > - VCS package missing provides/conflicts > - license can be changed to 'Apache' as that is already in common > licences and points to version 2.0 > - clone URL could use TLS via git+https > Fixed! > cryptomator: > - cryptomator.sh should use quotes for $PATH as it may contain spaces > Fixed! > cubemap: > - VCS package missing provides/conflicts > - source name must contain something unique for current tarball like > commit hash otherwise it collides with an existing download of a > previous version and just fails on checksum matching > - fails to build: configure: error: Package requirements (libsystemd) > were not met, seems to require it > It's not a VCS package. So a little unsure what you mean with that. Rest was fixed with eschwartz comments. Just forgot to push. > dep-git: > - VCS package missing provides/conflicts > - clone URL could use TLS via git+https > - use quotes for $PATH and $GOPATH as it could contain spaces > Fixed! > dmenu-extended: > - VCS package not named dmenu-extended-git, either rename or > use a pinned commit (you promised that a year ago in the > comments *giggle* :P :D ) > - python packages should have a build function as its building > binary artifacts via setup.py and named function is needed in > the future to make py packages reproducible > Fixed! Deletion request has been sent to the old package. > jottalib: > - uses static string in the source v0.5.1.tar.gz that can be replaced > by $pkgver > - not an 'any' arch as it builds binary artifacts > - seems to contain lot of test cases run by travis, maybe try to include > Fixed. The test cases will have to wait a little as it refers to "python" instead of "python2", along with being hard forked quite recently. > molecule > - URL pin-points to 2.0.0.rc12 (which isn't even used anymore) > - would me more error prone and convenient to keep pkgver in sync when > using a pkgver() function for pinned commits and f.e. do: > git describe --always | sed 's/^v//;s/-/./g' > - test cases could be run via tox > - could build docs like txt and man via sphinx in doc folder > - outdated since 20 hours, 2.0.4 release *giggle* > Fixed, apart from the pkgver and this library needs itself installed to generate docs. Need to figure out how this is done. > nageru > - 1.6.2 has been released > Upstream dev forgot to update the archive on the page. Bugged him and got it fixed. > protege-distribution: > - try to build from source rather then redistribute precompiled binary > blobs > Fixed! > nodejs-how2: > - could possibly be pulled via TLS https because why not :P > - npm install package should forcefully fixup $pkgdir/usr file/dirs > as its a non-deterministic race condition bug that upstream still > fails to find and fix. It can lead to node_modules dir being world > writable and it contains code, f.e. line 26 : > > https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/uglify-js#n26 > > All fixed! > nerd-fonts-git: > - VCS package missing provides/conflicts > Fixed! > python-anyconfig: > - uses setuptools entrypoint functionality and therefor must hard depend > on python{,2}-setuptools instead of just makedepends > - you could distribute the LICENSE.MIT file as MIT is not a common > included license > - you could run tests via tox > Fixed! > python-gilt > - package_python2-gilt() must depend on python2 instead of python > and python2-giturlparse instead of python-giturlparse > - test cases could be run via tox, therefor all py2+3 dependencies > should be added to checkdepends and tox be invoked > - could build docs like txt and man via sphinx in doc folder > Fixed. The documentation requires gilt installed to be generated. So unsure how that should be done. I have to look closer at this. > python-marshmallow: > - test cases could be run via tox, therefor all py2+3 dependencies > should be added to checkdepends and tox be invoked > - could build docs like txt and man via sphinx in doc folder > - you could distribute the LICENSE.MIT file as MIT is not a common > - 2.13.6 has been released > sphinx requires a library called "sphinx_issues" for generating the docs. Noted the package on my todo list. Rest has been fixed. > python-vagrant: > - test cases could be run > - you could distribute the LICENSE.MIT file as MIT is not a common > The testing is sorta peculiar as it requires vagrant and virtualbox(!) to run. Haven't gotten the cases to run after installing them so I have to work a bit more on this. > python-testinfra: > - test cases could be run via pytest and included in checkdepends > - PBR_VERSION will fail if run with noextract as prepare() is skipped > Fixed the PBR_VERSION issue. But the test cases requires docker to run, so I have to spend some more time to see if it's worth adding the tests to this package. > python2-humanize: > - python packages should have a build function as its building > binary artifacts via setup.py and named function is needed in > the future to make py packages reproducible > - it depends on python while this is a python2 package > - test cases and docs can be used if github sources are fetched instead > Fixed! > python-rofi: > - should use prefixed source with $pkgname and $pkgver to have a unique > file per version and package as it may conflict with a global source > dest setup > Fixed! > python-pychromecast: > - pkgdesc says "Library for Python 2 and 3 to..." how about including > python2 via a split package then? :P > - python packages should have a build function as its building > binary artifacts via setup.py and named function is needed in > the future to make py packages reproducible > - maybe include the examples directory in the docs? > Fixed! > xoutputd-git: > - VCS package missing provides/conflicts > - install mod 655 in bin file, is that on purpose or 755 expected? > - makedepends on git missing > - you could distribute the LICENSE file as MIT is not a common > Fixed! > tmux-resurrect: > - must depend on tmux and bash > Fixed! > texcount: > - no need to unzip it yourself, it works pretty well without prepare and > via bsdtar > Fixed! Thanks again anthraxx and eschwartz for the comprehensive reviews! -- Morten Linderud PGP: 9C02FF419FECBE16
signature.asc
Description: PGP signature