FS#42275 - Leftover tarballs for old packages (before the split package support or after "promotion" to extra)
Attached to Project:
AUR web interface
Opened by Andrej Podzimek (andrej) - Tuesday, 07 October 2014, 04:02 GMT
Last edited by Lukas Fleischer (lfleischer) - Friday, 10 October 2014, 08:11 GMT
Opened by Andrej Podzimek (andrej) - Tuesday, 07 October 2014, 04:02 GMT
Last edited by Lukas Fleischer (lfleischer) - Friday, 10 October 2014, 08:11 GMT
|
Details
I'm reporting this based on a discussion here:
https://aur.archlinux.org/packages/diaspora-postgresql-git/. Besides occupying disk space, outdated and unmaintained
tarballs may contain potentially unsafe stuff.
My local build script usually downloads packages (with package names in the first argument) as follows: wget https://aur.archlinux.org/packages/"${1:0:2}"/"$1"/"$1".tar.gz That's how I discovered some links that shouldn't work any more. This tarball is no longer supported since the advent of split package support in AUR and yields a PKGBUILD that doesn't work. It is now superseded by 'diaspora-git': https://aur.archlinux.org/packages/di/diaspora-postgresql-git/diaspora-postgresql-git.tar.gz This tarball contains an outdated version of the Openfire Jabber server which has been moved to 'extra' some time ago. The current version is 3.9.3 whereas the tarball is stuck at 3.7.1: https://aur.archlinux.org/packages/op/openfire/openfire.tar.gz |
This task depends upon
Closed by Lukas Fleischer (lfleischer)
Friday, 10 October 2014, 08:11 GMT
Reason for closing: Not a bug
Friday, 10 October 2014, 08:11 GMT
Reason for closing: Not a bug
Comment by
Andrej Podzimek (andrej) - Tuesday,
07 October 2014, 04:05 GMT
Well, Openfire is in 'community', not in 'extra', but otherwise my
original point still holds.
Comment by
Lukas Fleischer (lfleischer) -
Tuesday, 07 October 2014, 08:15 GMT
We keep tarballs of deleted packages as a backup. Could you
elaborate on how they are "potentially unsafe"? They are not
referenced anywhere, you need to download them explicitly by
specifying the tarball URL. Note that this is also likely to
change with the release of AUR 4.0.0 which replaces the source
tarballs by Git repositories.
Comment by
Andrej Podzimek (andrej) - Tuesday,
07 October 2014, 12:34 GMT
Obviously, the old tarballs are unmaintained and refer to old
versions of software with old security bugs. This may not be a
problem for the -git packages, but it certainly could be harmful
for Openfire and other "promoted" packages. But considering the
new Git-based AUR in preparation, this probably doesn't need to be
fixed.
Comment by
Lukas Fleischer (lfleischer) -
Tuesday, 07 October 2014, 16:21 GMT
As I said before, these old packages are not referenced anywhere.
So anyone downloading one of the tarballs either needs to specify
the full download URL manually or use some unofficial script.