Package Details: windows10-icon-theme-git r14.9f199c6-1

Git Clone URL: https://aur.archlinux.org/windows10-icon-theme-git.git (read-only, click to copy)
Package Base: windows10-icon-theme-git
Description: Windows 10 icon theme
Upstream URL: https://github.com/B00merang-Artwork/Windows-10
Licenses: GPL3
Conflicts: windows10-icon-theme-git
Provides: windows10-icon-theme-git
Submitter: fabienwang
Maintainer: zerophase
Last Packager: fabienwang
Votes: 16
Popularity: 0.000001
First Submitted: 2019-05-02 21:17 (UTC)
Last Updated: 2020-10-23 17:11 (UTC)

Dependencies (1)

Required by (1)

Sources (1)

Latest Comments

1 2 3 Next › Last »

polyzen commented on 2019-05-08 14:47 (UTC) (edited on 2019-05-08 14:47 (UTC) by polyzen)

Really it's what you think is best. I've been maintaining this for awhile and would prefer to continue doing so.

I just meant in terms of the name of the package. I could add you as co-maintainer once they are merged.

To be honest Unreal gets flagged a lot for using ssh.

o.O

@polyzen oh, and I'm using just git straight, rather than https. So, any issues with people who have github accounts getting forced to login are mitigated.

The issue may have been the Git remote of your clone was set to use SSH and then the scheme in the pkgbuild was changed without also modifying the remote on the local clone. HTTPS doesn't require login to pull with GitHub (or anywhere? not sure).

zerophase commented on 2019-05-04 04:11 (UTC)

@polyzen oh, and I'm using just git straight, rather than https. So, any issues with people who have github accounts getting forced to login are mitigated.

zerophase commented on 2019-05-04 00:06 (UTC) (edited on 2019-05-04 00:08 (UTC) by zerophase)

@polyzen I'm just trying to think of weird edge cases.

Really it's what you think is best. I've been maintaining this for awhile and would prefer to continue doing so. That outburst was really a one time thing over seeing an orphan request out of the blue with no attempt to contact me. If you look at my comments on the Unreal repo I maintain I'm mostly cordial with other users. I'm sure on occasions there have been a few strong words. To be honest Unreal gets flagged a lot for using ssh. You need to sign up through Epic to get access, and I think you can use zip, but it is not fully supported, and upstream uses the same build process.

I get the documentation, but from how it's written it does not say ssh is not allowed. The English as written at the section linked uses "e.g." which means for example, and is not an exhaustive list. I was completely unaware that ssh was not supposed to be used. I won't use it in the future. I'm just saying nothing explicitly forbids it on that page.

How am I to balance system security while still maintaining packages? That's why I used ssh in the first place, since I'd have to compromise security by entering the password into git.

Is this more of an issue of users having a political issue against github? If I used another git hosting service would that be fine? Such as gitlab running on a local machine?

polyzen commented on 2019-05-03 21:46 (UTC) (edited on 2019-05-03 21:47 (UTC) by polyzen)

In the future, if I need ssh for a maintained package

This is just a misunderstanding. A project that can only be sourced via SSH is probably not meant for public use. Use git+https://: https://wiki.archlinux.org/index.php/VCS_package_guidelines#VCS_sources

While we're here: any reason this shouldn't be merged into windows10-icon-theme-git?

zerophase commented on 2019-05-03 05:59 (UTC) (edited on 2019-05-03 06:27 (UTC) by zerophase)

@eschwartz Ok, fully explaining my general issue with https and github, in cases where a password happens to be needed for whatever reason.

By the way, I looked into my github settings, and the security settings are cranked to the absolute max. Someone tried to login into my account months ago in Indonesia, according to the github log. So, I changed my password to an auto generated 24 character string of characters, numbers, and symbols. I can only interact with my github account through ssh, or if I use one of the paper keys in case I lose my password. I do not like having important passwords saved all over the place, and stored unencrypted, as I'm involved in cryptocurrencies.

As far as, I'm aware git stores passwords unencrypted, but there is a credential helper for using a password Keyring. Anyone know if there is a ready made solution for allowing git to use KeePass for storing passwords? I would use gnome-keyring, but I keep that unencrypted, as I only save unimportant passwords there and have autologin enabled.

While I have the package build ready for making this a proper git repo. In the future, if I need ssh for a maintained package, and the rest of the community would prefer https. How should I properly address the issue of making it very difficult for anyone, including myself, to know my passwords? I'm just trying to avoid obstacles to keeping the package up to date.

zerophase commented on 2019-05-02 22:04 (UTC) (edited on 2019-05-02 22:22 (UTC) by zerophase)

Sorry everyone this is just a misunderstanding coupled with answering the same question frequently and politely, for UE4. I just lost it on an innocent person. I'm sorry @fhwcat.

It looks like fhwcat already opened a git repo. If he wants to add me as a comaintainer I do fix and report icon issues on occasion, and probably have a fix before the actual upstream. It looks like upstream has been moving towards a more normal git release cycle, recently. So, maybe every thing will be easier from that end from now on.

eschwartz commented on 2019-05-02 21:34 (UTC) (edited on 2019-05-02 21:36 (UTC) by eschwartz)

Oh... the url is a redirect to B00merang-Project/Windows-10 but the repo is cloned from B00merang-Artwork/Windows-10 which does not have the same release cycle. My bad, sorry for the confusion.

It's fine to transition to a -git package if you want.

It is nevertheless true that:

  • when cloning over git:// you need to makedepends=('git')
  • if you're not using a -git package, you should pin the commit you're using, to ensure that you don't inadvertently build different commits with the same pkgver. e.g.
source=("git://github.com/B00merang-Artwork/Windows-10#commit=7cf42049a9db0a9a9cdd1aadabad15cf72f4b01b")

If you are using a -git package it should have a pkgver() function as per https://wiki.archlinux.org/index.php/VCS_package_guidelines

zerophase commented on 2019-05-02 21:19 (UTC) (edited on 2019-05-02 21:22 (UTC) by zerophase)

@eschwartz Oh sure, I'll update the link to the specific repo. I've seen a lot of other packages pointing towards the overall main repo or project page, while pulling from a different link for the specific repo.

I actually want to merge this into a git package as this project uses the git repo at: https://github.com/B00merang-Artwork/Windows-10 for pulling the icon theme down. Upstream changed their distribution method about a year or so ago, and I noticed an updated windows icon theme available, without the issue of the old icon theme, which did not have a stable link present. Just by making it a git package I won't have to constantly be checking in on upstream, which has an erratic work schedule.

So, is getting the package conformed to best standards and then merged into a git package acceptable?

eschwartz commented on 2019-05-02 21:17 (UTC)

@zerophase, which other packages use ssh authentication, but aren't private repositories like unreal-engine? If there are such packages, then they need to be fixed too.

It makes no sense for packages which do not require ssh, to use it. It makes perfect sense for unreal-engine, a commercial product that can only be downloaded by logged-in users who have paid for the product, to use git via ssh.

And there is not necessarily animosity towards the fact that you used ssh... but the fact that your reaction to someone asking, politely, for you to change that, and trying to engage in dialog about why it would be better to use https... was to curse at them? That, there, is something that can understandably cause animosity.

For a statement that did not even have any technical justification... :/

eschwartz commented on 2019-05-02 21:12 (UTC) (edited on 2019-05-02 21:28 (UTC) by eschwartz)

Also please note that the upstream software has stable, tagged releases, which are much more recent than 0.5 -- but you're pulling from git master instead of the versioned tarballs that don't require the git program at all. Also, if it was correct to use git, the PKGBUILD would still be wrong because it does not makedepends on git.

This is not a -git package and therefore it must use the stable release.

The package needs lots of fixing to conform to best packaging practices, and requiring SSH authentication is just the tip of the iceberg.

EDIT: The links confused me, two different repos with almost the same name.