On 1/2/22 00:36, David Runge wrote: <snip>
When looking at svn vs. git approaches the fundamental difference is, that with svn we track both the package sources *and* their "location" state in the repositories while repo-add/repo-remove is used to add/remove things on the fly to the package repository databases. While with a future git based setup we would have a package source repository per pkgbase and a management repository for arch-repo-management which tracks the state of the repositories transparently and should allow for atomic operations towards the package repository databases (e.g. dbscripts may fail halfway through and leave repositories in a bit of an undefined state when e.g. "moving" package files from a to b).
Thanks - I finally understand the point of this!
Also a couple of quick comments:
1) might as well drop putting the signature into the package database - pacman will not add these be default from next release as the signatures are downloaded alongside the package. This reduced db size substantially.
Yes, that is an open topic in the implementation (this was decided after I implemented it/ I only got to know of that change after I implemented this attribute).
For me this removal raises the following question which has been bothering me a bit and maybe you have an idea how to solve it: How would you allow for filtering packages in a repository for a particular PGP key? We have had quite a few rebuilds due to invalid packager keys or resigning packager keys. It would be great to have this in mind, as I believe that e.g. querying all PGP signature files of a repository to do so is not very feasible, but maybe this can still live on in the proposed management repository as unused "metadata" (e.g. PGP ID) of a given pkgbase which is populated upon import of a given package/ set of packages.
I assumed we were just grepping packager, because I forgot pacman can output the signing keyid from a package signature! I guess you can store the signature in the json files that are stored in VCS. Maybe you want to do the keyid extraction from the signature when adding it to the json file to facilitate easy querying? There is proto code in RFC 4880 for doing this (this is what I used for pacman). This also fits with the package state repository being the source of truth and not the pacman database. Allan