[arch-general] Unofficial Repository Guidelines
Hey everyone, There are no guidelines on the wiki for creating and distributing unofficial repositories. The tools make this feature incredibly easy to implement, but with that power comes great responsibility, and I am a bit confused. It would be nice to have a set of guidelines for creating and distributing unofficial repositories on the wiki. The reason I ask this is because I created two signed repositories for some packages I maintain, zfs and netflix-desktop. They do have usage, and in my forum posts, people seem to really appreciate the availability of the repo. However, I am not a TU, so my keys are not signed by any of the master keys. I don't want to contribute to a bad habit of not checking package sources before installing something from some repo. When I brought the topic up in #archlinux, there was some concern I was using a repo and not solely relying on AUR. I did my best to provide lots of information to people, like the complete sources and lots of information about myself and the packages so people are comfortable adding my key to their keyring. But I am a very thorough person, so doing this is natural. Others won't be so willing to do the work. So what is the general consensus regarding unofficial repositories? Thanks, demizer
On Tuesday 20 Nov 2012 20:48:42 Jesus Alvarez wrote:
When I brought the topic up in #archlinux, there was some concern I was using a repo and not solely relying on AUR.
Why do you not want to use AUR? -- Cheers Jayesh ------------------------------------------------------------------------------------------------------------------ say no to html | http://www.asciiribbon.org/ use bottom posting | http://www.netmeister.org/news/learn2quote2.html
On Tue, Nov 20, 2012 at 10:26 PM, Jayesh Badwaik <jayesh.badwaik90@gmail.com> wrote:
Why do you not want to use AUR?
Who says he's not? All the packages he's mentioned are available on the AUR, maintained by him; he's offering unofficial repositories as a supplement to the AUR, for people like myself who don't want to kill their laptop compiling all of Wine. ~Celti
On Tuesday 20 Nov 2012 22:32:13 Patrick Burroughs wrote:
Who says he's not? All the packages he's mentioned are available on the AUR, maintained by him; he's offering unofficial repositories as a supplement to the AUR, for people like myself who don't want to kill their laptop compiling all of Wine.
Oh sorry, my bad. -- Cheers Regards ------------------------------------------------------------------------------------------------------------------ say no to html | http://www.asciiribbon.org/ use bottom posting | http://www.netmeister.org/news/learn2quote2.html
[2012-11-20 20:48:42 -0800] Jesus Alvarez:
The reason I ask this is because I created two signed repositories for some packages I maintain, zfs and netflix-desktop. They do have usage, and in my forum posts, people seem to really appreciate the availability of the repo. However, I am not a TU, so my keys are not signed by any of the master keys. I don't want to contribute to a bad habit of not checking package sources before installing something from some repo. When I brought the topic up in #archlinux, there was some concern I was using a repo and not solely relying on AUR.
Having your personal repository in open access is great! It is always nice to upload to the AUR the sources of those packages that you expect will be of use to other people, but that can perfectly well be done on top of putting them in your personal repository. In my opinion it is entirely up to people who install packages from your repository to verify their quality; the only thing you can do is make it easier for them by making the sources available, publishing your signing key at many places, etc. (And you seem to say you have been doing that.) I would just additionally recommend putting a short banner at the root of your repository to act both as a short howto and legal statement; here is mine for instance: http://arch.vesath.org/00.README.TXT That's it. There are no official guidelines or anything like that, and the above is the only etiquette I can think of. Cheers. -- Gaetan
On Wed, Nov 21, 2012 at 04:39:53PM +1100, Gaetan Bisson wrote:
Having your personal repository in open access is great!
Does that mean not PGP signed?
I would just additionally recommend putting a short banner at the root of your repository to act both as a short howto and legal statement; here is mine for instance:
I do this with an index.html file. For example, http://demizerone.com/archzfs Is there some special meaning to 00.README.TXT? Does pacman pick that up and display it in the terminal? - demizer
[2012-11-20 23:07:28 -0800] Jesus Alvarez:
On Wed, Nov 21, 2012 at 04:39:53PM +1100, Gaetan Bisson wrote:
Having your personal repository in open access is great!
Does that mean not PGP signed?
No, it means making the repository publicly accessible, as opposed to keeping it on a private server. This is independent from whether or not you sign packages - which of course you should.
I would just additionally recommend putting a short banner at the root of your repository to act both as a short howto and legal statement; here is mine for instance:
I do this with an index.html file. For example,
Even better.
Is there some special meaning to 00.README.TXT? Does pacman pick that up and display it in the terminal?
No; it's just catchy. :) -- Gaetan
participants (4)
-
Gaetan Bisson
-
Jayesh Badwaik
-
Jesus Alvarez
-
Patrick Burroughs (Celti)