On 29/10/2018 20:30, Eli Schwartz via aur-general wrote: > > A bit late to a TU review once again, but I've got some reviews for your > AUR packages here. I'd also like to acknowledge that some of these > you've likely already fixed, especially the provides/conflicts on -git > variants... but I cloned your PKGBUILDs at the beginning of the > discussion period and haven't pulled your changes. Some packages were > very similar to each other but enabled different build options, e.g. the > ffmpeg family -- I may not have mentioned each by name but reviews may > apply to multiple packages: > > ....
Hi Eli and thank you for preparing this review about my packages. This was very helpful! As you have already mentioned, I've applied the fixes that were already suggested by the TUs, especially the gpg and provides/conflicts situations. Now that you've made this deep review I'll continue to apply more changes for the remaining issues. Thank you! :) > I didn't end up going further than this, but I noticed some common > themes that I liked: > - you're pretty reliable about quoting > - you're pretty reliable about naming sources uniquely > - your packages are usually pretty well written to work as expected Thanks for also saying things that are positives. :) > And some that I didn't like: > - oftentimes, urls and sources could and should be upgraded to use > https, something that Devs/TUs are admittedly not historically careful > about either, but we are working on it as indicated by this TODO list: > https://www.archlinux.org/todo/use-gpg-signatures-and-https-sources/ > Of course, the TODO list has been outstanding for like 2 years now, > because it's rather boring administrivium to fix (I find it easier to > do so when already modifying a PKGBUILD) > - you often disable testsuites or don't include them at all, which is > probably along the same logic as having previously removed PGP > checks. I don't expect this to be a problem for community packages, > but I think they're both issues that should be fixed in the AUR too. > makepkg has options to disable both, if users don't want to waste time > running these, and IMHO they should be opt-out. > - personal nitpicks about some of the bash scripting you use to get the > job done in exotic cases Thanks for pointing these areas where I can improve! :) Regarding the https case, this was already pointed to me for instance in the firetools package by my sponsor Bruno Pagani during the discussion period, which I promptly changed, as you can see here: https://aur.archlinux.org/cgit/aur.git/commit/?h=firetools&id=3df44249680150a9a8bce4dd80b41809dcef061f I'll pay attention about using https sources whenever possible when doing package maintenance and upgrade. Ok, I'll enable the checks/tests in packages when they're applicable, letting users choose if they want to run it or not. Thanks again. -- Best regards, Daniel Bermond
signature.asc
Description: OpenPGP digital signature
