Package Details: aurman 2.20.1-1

Git Clone URL: https://aur.archlinux.org/aurman.git (read-only, click to copy)
Package Base: aurman
Description: AUR helper with almost pacman syntax
Upstream URL: https://github.com/polygamma/aurman
Licenses: MIT
Submitter: polygamma
Maintainer: polygamma
Last Packager: polygamma
Votes: 196
Popularity: 0.20
First Submitted: 2018-03-20 21:31
Last Updated: 2020-07-07 19:38

Pinned Comments

polygamma commented on 2018-08-21 18:02

aurman development for public use has been stopped. i suggest migrating to yay, i am not interested in any kind of feedback, bug reports, feature requests etc. anymore.

Latest Comments

« First ‹ Previous 1 2 3 4 5 6 7 8 Next › Last »

polygamma commented on 2018-06-18 17:02

@j1simon, @Cavsfan, really, is it that hard, to read the pinned comments and accept, that this is NOT the right place for such "issues"?

Cavsfan commented on 2018-06-18 16:56

I meant "Y" not "U"

Cavsfan commented on 2018-06-18 16:55

@polygamma, I fully trust adding this key and gave it a "U" but, it got these errors:

gpg: keyserver receive failed: No data
2018-06-18 12:44:17,909 - classes - search_and_fetch_pgp_keys - ERROR - Import PGP key 4C3CE98F9579981C21CA1EC3465022E743D71E39 failed.
2018-06-18 12:44:17,909 - main - main - ERROR - 
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/aurman/main.py", line 734, in main
    process(argv[1:])
  File "/usr/lib/python3.6/site-packages/aurman/main.py", line 646, in process
    package.show_pkgbuild(noedit, show_changes, pgp_fetch, keyserver, always_edit, default_show_changes)
  File "/usr/lib/python3.6/site-packages/aurman/classes.py", line 1051, in show_pkgbuild
    self.search_and_fetch_pgp_keys(fetch_always, keyserver)
  File "/usr/lib/python3.6/site-packages/aurman/classes.py", line 935, in search_and_fetch_pgp_keys
    raise ConnectionProblem("Import PGP key {} failed.".format(pgp_key))
aurman.own_exceptions.ConnectionProblem: Import PGP key 4C3CE98F9579981C21CA1EC3465022E743D71E39 failed.

polygamma commented on 2018-06-17 12:22

@enbQao - Really depends on what you want to achieve. Do you want to be sure, that the guy on the GitHub picture https://github.com/polygamma is the one, who has pushed the changes? Guess you'll have to visit me in Kiel, Germany for that. Do you want to be sure, that the one who "owns" this AUR package is the one, who pushed the changes? Well, you have to hope, that nobody stole the SSH private key for this package. Do you want to be sure, that the one responsible for the GitHub repository https://github.com/polygamma/aurman is the one, who pushed the changes? Write an email to the E-Mail address mentioned on the GitHub profile and hope, that nobody hacked the GitHub Account and/or the E-Mail address.

Besides that: The PGP key has been newly created just for the purpose of signing aurman commits and releases, so there are no other people on earth who could really verify that it's the PGP key of "Jonni Westphalen". But since the commits and releases have not been signed at all just a few days ago, you do not lose any security by "trusting" the new PGP key. All in all aurman is open source, just look at the sourcecode if you want to be sure, that there is nothing "fishy".

Addition: As time passes, it's getting more and more unlikely, that the dev of aurman is not the one, who introduced PGP signing with that key, because well, guess he would not let it pass, that his accounts and private keys have been stolen without making noise.

enbQao commented on 2018-06-17 11:54

Hi, with the latest update, it said

"PGP Key 4C3CE98F9579981C21CA1EC3465022E743D71E39 found in PKGBUILD of aurman and is not known yet. Do you want to import the key?"

I know I can probably trust this, but how can I verify myself that I can trust this?

(seeing all the comments here I hope this is the right place to ask)

polygamma commented on 2018-06-17 10:16

@Eschwartz - see: https://aur.archlinux.org/cgit/aur.git/commit/?h=aurman&id=2dc46d3f2ff2

eschwartz commented on 2018-06-17 06:28

Hey, now that pacman 5.1 with support for signed VCS sources should be broadly available and given that you use PGP-signing on the git release tags (as of the latest), could you please add ?signed to the git source and your validpgpkeys fingerprint.

I'd appreciate that for the -git version as well, but I'm not sure how feasible that is since the current HEAD commit is not signed. :/ It would require committing to always ensuring the current HEAD commit is signed.

This would address and exceed the requests mentioned a couple times before in the comments here, about doing checksum verification.

(Quick note to everyone in general: the checksums are meant to ensure download integrity, but git repositories already guarantee this, it's built into the git protocol. Verifying the code authorship is a different issue entirely, which checksums does not address but PGP does...)

Kewl commented on 2018-06-13 19:39

I like the fact this is in python with a readable code, very few dependencies, and actively maintained. good job.

andreyv commented on 2018-06-13 18:39

@polygamma: Thank you for your hard work.

polygamma commented on 2018-06-13 09:32

@Camponotus: https://github.com/falconindy/expac/pull/35