On Sun 06 Feb 2011 17:52 -0600, Thomas Dziedzic wrote:
On Sun, Feb 6, 2011 at 4:58 PM, keenerd <keenerd@gmail.com> wrote:
On 2/6/11, Loui Chang <louipc.ist@gmail.com> wrote:
You probably want to grab the tarballs, and extract what's in those. The next release of the AUR will only have tarballs and PKGBUILDs. The other files won't be extracted.
Hey, you are stealing my idea! :-) AUR3 does that, and it saves several hundred megabytes. Completely worth it.
I fail to see how this is worth it, imo, a better system is to convert to git and not track the src.tar.gz
Is there a good reason for this switch? To save 450mb is not a good reason imo, for an incomplete listing of all the files.
Well, there are several reasons. Lukas' commit message from commit ec0dfc2 briefly summarizes it.
Automatic tarball extraction was vulnerable in different ways. Users should also only use source tarballs to build packages, so this has been removed completely. From now on, only the PKGBUILD is extracted in a secure manner.
Also, I'm not really sure that git is the best way to distribute source packages, but I'm glad that you're exploring different options. :D If I want to obtain or share a few build scripts for a few packages I really don't want to keep a 450mb repo. I have heard about shallow checkouts being implemented in git though, so maybe it could work. devtools uses subversion at least partially because of this large checkout issue.