On the official repo, are packages maintained by anyone or maintained by the repo owner?

[trymeouteh]

On the official repo, are packages maintained by anyone or maintained by the repo owner?

[Elsie19]

Packages are maintained by the person who's listed in the maintainer key in a given pacscript. If a maintainer key is not given, it can be considered orphaned.

[trymeouteh]

Therefore a developers or someone who wants to add and maintain a package on Pacstall, can become a maintainer for packages if the repo owner gives them a valid key?

[wizard-28]

There isn't a valid key, the maintainer variable usually looks like this:

github_name <email_address>

If this maintainer variable is present in the pacscript, then the pacscript is considered to be maintained otherwise orphaned.

• hyperfine-bin
• soundux
• an-anime-game-launcher-bin

---

can become a maintainer for packages if the repo owner gives them a valid key?

If you want to become a pacscript maintainer then you would just have to make a PR to the repository with your pacscript, and the packagelist file edited.

[trymeouteh]

So anyone can maintain a package but to be a maintainer you need to submit a pull request and the repository owner must approve of this.

I ask this since users who install software on the AUR should take precautions since anyone could submit malware to the AUR. Do users need to take some caution before installing packages in pacstall since anyone could submit malware to official pacstall repository? The official Debian and Ubuntu package repos are maintained by a few people and they ensure there is no malware, but packages are outdated.

[wizard-28]

Mostly the pacscripts would have to be updated by the maintainer when there's a new update. Then the update PR will go through the reviewal process again.

The only case where this isn't true is for -git pacscripts, as they track the latest commit from the package developers. So theoretically the package developer could push a malicious commit, and the end-users who update pacscript using pacstall would be infected. But this hasn't happened yet. Like I've said previously it's recommended for the user to know what's being done to their system, in this case to read the commit logs/release notes.

One more thing I would like to say here is that for Pacstall 2.0.0, during updates we would show the user the release notes and the commit logs rendered beautifully in the terminal, so this step would be even easier for the user to do by then.

[trymeouteh]

Is this the exact same way in how the AUR works for maintaining packages too? And does this process slow down updates on packages in pacstall?

[wizard-28]

It definitely slows down package updates, but our average PR response time is around 4 hours.

[trymeouteh]

However users will not need to worry too much for having to waiting weeks, months or years for their packages to get updated?

[Elsie19]

As said, the time from PR creation to merge is usually less than 4 hours.