In which they put a bold faced text overlay across the thumbnail and make sure to include at least one algospeak self-censorship asterisk („sh*t“). Bonus points if the word wasn’t even a curse word.
Except for the unfortunate minority of normal visitors who always get misclassified as bots and get denied access regularly.
I wouldn’t be complaining if Cloudflare’s misclassifier bit any user with the same small probability. But it keeps biting the same users over and over again.
Cloudflare: let's give the bots their own accounts so they can scrape harder.
Also Cloudflare: let's send normal humans who are trying to go about their daily lives into endless Turnstile spinner loops with absolutely zero recourse, grievance, or support infrastructure.
Your comment compares Lithuanian homebrew tech to Ukrainian military-funded tech and claims that the former is grossly inferior to the latter. That comparison is what they're challenging.
> What are you saying about nukes?
According to your comment, homebrew tech was not going to prevent World War III. This can come across as unconstructive because in general, even small things can make a difference (or be a first step towards something that will.)
Their comeback "explain what your plan is against nukes" is just another way of saying "your comment just dismissed an idea but failed to present a better idea on its own," or more generally, "let's remain constructive."
It’s on you to decide whether you trust upstream or not.
You’re free to use any scanner you want on the upstream sources if it makes you feel safer. (I’m currently working on a makepkg extension that allows just that.)
The core and extra repos are curated, and every package maintainer is doing their due diligence (and more) to protect the users. But on the AUR, nobody is going to do that work for you.
PKGBUILDs are not packages. They’re (user-contributed) instructions on how to build packages.
> available through the OS's repos.
No. The AUR is a platform, similarly to NPM or PyPI, that allows users to upload PKGBUILDs. It is not part of “the OS’s repos,” and it says that loud and clear, multiple times, including on the front page.
> A normal PKGBUILD should not download anything programmatically. It should rely on the package manager to download the files listed in the PKGBUILD's source array.
This is generally not true. Look at a PKGBUILD of:
- any Node.js package. You'll see that the `prepare` step downloads the entire transitive dependency tree from NPM. (This is because it has a massive number of leaves and no system package maintainer can curate them all (let alone resolve each one to a single version that works across all dependees).
- any Rust program. Rust uses static linking, so publishing a system-level package for each library would be pointless. Therefore, during `prepare`, `cargo fetch` it is.
> A less than 100% reliable mechanism sure beats the current situation which is "wait for users report on the forum that they have been pwn3d". May I remind that this is the third time AUR-hosted PKGBUILDs have been compromised?
Socials:
- github.com/claui
Interests:
Open source, packaging, CLI, digital inclusion, device neutrality