[Dev] Server Concerns

Florian Pelz pelzflorian at pelzflorian.de
Mon Nov 16 16:39:49 GMT 2015

On 11/16/2015 03:13 PM, fauno wrote:
> Luke <g4jc at openmailbox.org> writes:
>> @Florian: Blacklisting AUR would be a very large task. It would be
>> easier to whitelist needed packages. Modifying yaourt to point to our
>> own servers shouldn't be too big a task by comparison.
> it's not a technical issue, we can setup a PUR very easily, but we have
> to review/police (!) the pkgbuilds to comply with our free software
> policy afterwards.  who's willing to do that work?  not me! :]
> it's not only a matter of adding the license to the pkgbuild, there're
> many mislicensed pkgbuilds on AUR (packager doesn't check/care, etc.)
> some time ago we discussed adding an "our-freedom" package, which
> blacklists AUR, so you can use any AUR helper without having to maintain
> our own infrastructure.  i think it's easier to review the top AUR
> packages for "freedomness" (i'm guessing not many of them are libre...)
> and work from there.  i agree the whitelist approach is better, maybe we
> could blacklist anything on AUR preventively (!) and start removing
> packages for our-freedom's conflicts field.
> i've no idea if pacman would support a single package with thousands of
> conflicts.  maybe our-freedom could be a group, that installs many
> packages?

A PUR that is set up the same way as AUR may mean that there are
packages available in PUR but not in AUR. I don't think we should
compete with Arch in that way. I think this would mean duplicate work
for both Parabola and Arch.

A whitelist has the advantage that an incomplete whitelist is already
usable. It is also safer than a blacklist. I like the idea of a
whitelist. This would mean making a package / packages with very many
conflicts as you say (AUR minus the whitelist), but if that is possible,
it seems the easiest way to keep the AUR.

Of course, the AUR does contain lots of free software. I don't see a way
to filter by license, but I'd guess maybe half of it is free. That's
some 15000 packages in a complete whitelist or blacklist. It is possible
the pacman / libalpm developers did not consider it important to make
pacman handle such conflicts efficiently. It is also possible that 15000
is a low enough number that we need not care.

> just throwing ideas around, since i won't have the time to implement
> them myself :P

I'd very much like to help, but I'm too busy until March.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20151116/ed5e5bee/attachment.sig>

More information about the Dev mailing list