On 16-11-27 11:10:51, Eli Schwartz via aur-general wrote:
On 11/27/2016 10:30 AM, Quentin Bourgeois wrote:
You are right I have remove this, my first goals was to sign my PKGBUILD file I don't think its possible ?
No, although the AUR is HTTPS.
If people clone the package instead of downloading the snapshot (several AUR helpers can be configured to do that), and if they obtain your public key, they can use git to verify signed commits. Assuming they know you sign your commits. But no AUR helper tries to check that... and how would you know which key to trust?
Inkscape (or any other tool for SVG handling) is needed if one would like to see the result of generated document in SVG format. As there could be a long list I am not sure if such dependencies should be put into PKGBUILD, even in optdepends ?
Looking at the project README, it just generates an SVG file (and says you will need a program that opens SVG, like most browsers). It doesn't fundamentally integrate with Inkscape, and you should not add as a dependency every single program capable of opening a specific filetype. In fact, you shouldn't even add one such program. ;)
When it describes "Program to open SVG objects" as a requirement, they probably shouldn't have listed that in the code requirements, since it is only a *logical* requirement...
I add this check in case upstream change for any reason and not break the build process. The warning should be enough to let me investigate. I generally don't perform operation on resource that could not be present, I just applied this here too.
You should catch that when you make the package yourself before pushing an update to the AUR, since the install command would fail with an error and makepkg would abort with an error. At least, I assume you consume your own packages...
As a general rule, do not clutter up the PKGBUILD with things that can change from version to version unless it is a VCS package and the same PKGBUILD applies from version to version as new commits are pulled from the VCS source. Also, don't make checks like that for things which are really quite unlikely to change. Why do you think they might do that??? With this, I come with a simpler PKGBUILD[0] in which I push modifications you advised. I also removed some dependencies that are used for code coverage and building documentation, which I do not install for now.
Did we get to something good ? [0] https://git.bourgeois.eu/aur_python_viivakoodi.git/tree/