Hi,

I had a brief discussion about this PR on IRC in #nixos-chat with a few
others.

One of the major points of contention was the fact that you're shipping an
AppImage from a Dropbox, which may or may not be the project's official host.
There are too many extra steps to attempt to verify the AppImage hasn't been
tampered with (join the Telegram, download, compare hashes against the published
md5s (!!), make sure you trust RemixDevs, etc).

If RemixDevs were to put up tagged releases (as seen in various GitHub
projects), I would have less of a problem with this. This way, there is only one
entity to trust: RemixDevs, as opposed to trusting RemixDevs in addition to the
nameless uploader to Dropbox. I don't like the idea of downloading from a
generic file host like Dropbox (and Google Drive, MEGA, etc), because there's no
way to prove it was actually RemixDevs that uploaded it.

However, a better solution would be to figure out how to build and run this from
source. No need to deal with file hosts or (as many) trust issues if you build
from the same source as everybody else.

It was suggested that a better location for this package might be the
NUR.

(One of my original reasons (as you'll see in the IRC logs) for disliking this
was its apparent use for piracy. However, seeing as we already have Sonarr and
friends in Nixpkgs, this ship has sailed and I've retracted that as a reason of
contention.)

IRC conversation starts here: https://logs.nix.samueldr.com/nixos-chat/2020-04-12#3309101

Hi,

I totally understand why it can't be merged in this state.

@mkg20001 and I tried to build it from source, and, from what I understood, it needs changes that he did to Nix to be merged. It does build on MerOS.

The Dropbox link comes from the pkgbuild on the AUR, since RemixDevs don't provide any direct link.

It was suggested that a better location for this package might be the NUR.

Thanks for the suggestion, I'll try to put it there.

Should I close this PR?

Also I should go to the IRC channels more often...