Dreamt of building this type of automation back in my FreeBSD ports committer days. 90% of package maintenance is repetitive routine. Glad now that GitHub has a much bigger share of the market, people are making more progress.
Oversight and manual review still needed for many good and obvious reasons — something lacking or missing in leaner package management systems like the ones built into languages.
> Of course, since these packages are built automatically without human supervision it’s likely that some of them will have bugs in them that would otherwise have been caught by the maintainer.
- every distro maintainer is reviewing every upstream change
- every distro maintainer is qualified to review every upstream change if the threat model is malicious / underhanded code (either a malicious upstream, or a malicious contributor that managed to convince upstream to take a patch) and not just well-commented bad ideas
Especially if they're not updating packages on a regular basis, there are plenty of major free software projects that just frankly have a lot of code, and I have also definitely seen (though perhaps more in the olden days) distro maintainers say that they didn't know the language of the code that they were packaging, that upstream's job was writing code and their job was writing packaging. (And, honestly, because upstreams can choose to change languages, this isn't a particularly unreasonable situation to be in.)
And for distros like Debian, packagers are volunteers, and there is no real ability to enforce that people are doing the work in any specific way beyond looking at their diffs. The Debian new maintainer's guide suggests that you diff the old and new versions for "anything suspicious," but has no particular recommendations on how to do so and also tells you to ignore various generated files: https://www.debian.org/doc/manuals/maint-guide/update.en.htm...
Oversight and manual review still needed for many good and obvious reasons — something lacking or missing in leaner package management systems like the ones built into languages.