[aur-general] Review of clickhouse-static PKGBUILD
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, dear TUs and Arch developers. I'd like to ask relative the package clickhouse-static[1]. The officially supported way to build ClickHouse binaries is static linking[2]. And my question: is it possible that the package with the current building structure (getting contribs like submodules in upstream, static linking etc.) would theoretically come to [community] repository? Best regards, Mikhail f. Shiryaev [1] https://aur.archlinux.org/packages/clickhouse-static/ [2] https://clickhouse.tech/docs/en/development/style/#platform -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEESIZn3Pa5datRJo5TOc1XU71dhW8FAl5AolAACgkQOc1XU71d hW9BsBAAjrsvRpWHLyUwFtc8iku6U6mzeOSPPG5WqgzREXBCxbniEYuDRbvUOfr5 C4Ua8y8vzq+x42Hg82PM5hcJErftcSPcQvD1o86Omxb7ZRIkeMcWmfVKcegcOTtm a/4VhUb5RuriC7L8euY6jL7a3v6j047VHZPFO5HYU0OJqL40dBR1zdBcRKw8uJXi GvmB7nJVhdPDGHP+HrE3ke7etyHB0yv8BqiQO/EPeqR3xxok6AdZYcARx/THSskV j8F2G3gOVYjDnDfn2e0J7eGN3ZjjuEIJg6133Fv3sh52akvU/zFT0WEMNkO6L6YZ Ku9uPWZ+1oaTYpqEimRNRTrpth+JqozthlUzFn+wNOxSJuUtu6a4/Qd0RJeYW80b l3Qm83aTSwv5vjMpm09eD6djfD7q6XZ3U+gPrY/Ntc1AxR8R6FuRiozxOYPzR2HA c7JZNm2li7WnoXh5wm5f3rPJo6SfdJRDIfLPAn6gigLed4WRJKE9VCDc8WtCWwcU kbfi9GBD95bd1XqSXf3OGfSaAnc71dXPWr8MV23QFNrmkPbx21+d6AW0CNBTmHpg 6OXLWkJIRMHFxtbdk043Ne/wq05jLnF6+a5adllkwmlnI14auaR2Ud5RUN1Gy6St 7zu07Ozv7yM/Y9+Q154l8r7ivy7+l9tynUs0FGTHjASKSc0vFvY= =Knpg -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
It looks like mail-list has added new lines automatically,
so the signature is bad now. Here's the new one.
Best regards,
Mikhail f. Shiryaev
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEESIZn3Pa5datRJo5TOc1XU71dhW8FAl5BS68ACgkQOc1XU71d
hW/8gA/5Ac3bNFt7W/2JEa2HicnQweWNKPbHXez1GGQgFBRxB4GiVtkwfh9X2mzq
Y4hhGDs0cRCiB2JmMWpi/6DWM3oSA5M3wU6NURk2jZ/+cbwK3i6WA6Tqu+vZ6g7l
lyd7oUEh/EEokVokCYDRCYG6yytDNx/uLC1OyK2z3D6bnLsM+v7HFKolhMQBJcUj
EZIw0VI91rYKHdHfH2rgmHuDtJ/lCBFWFy6t0AJshOuexUfJ2RA2NBtjrryNTiYg
2qyr0c8IwgIXp3qaKwlzVk7Kyvr9nalx4aVfCNp8l/7Dsrflm+jQq44N/wmDFtj6
MaxNXmxzPijaA8LF/6wIJoD8Fh6hPeU4MYB4UglPvSJqeC+0enq0v5uSBsLB8WCM
Hn/b8CDY2Sd/7dituk1WPwmj6eAZGp8XzeucpRklXEhPptzTgcn+MIX4LumuBD86
bNQ6bOjS18GAbTL42cAGGblFY4jzks2ZWGl3FI71R4mftxqK9GWndThctgafLUTS
cxGMpD6aYFE0dxAP0U9ZxOTHV4U/3pbYnEHLWA6CgdOgoj1IFx+GFHeR8YfUCJhg
LGkKfjcIgI/0wfUJpMgKz7QJsUYae2tw1EvXtc5twJ9tIekHLDIquDXKZG6P5Kw/
v36iRdY0DDP0dgSwKwgxvc3mXTutfw+cSVhewdYjygSTWRU0hU8=
=qjy0
-----END PGP SIGNATURE-----
пн, 10 февр. 2020 г. в 11:02, Felixoid
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hello, dear TUs and Arch developers.
I'd like to ask relative the package clickhouse-static[1]. The officially supported way to build ClickHouse binaries is static linking[2]. And my question: is it possible that the package with the current building structure (getting contribs like submodules in upstream, static linking etc.) would theoretically come to [community] repository?
Best regards, Mikhail f. Shiryaev
[1] https://aur.archlinux.org/packages/clickhouse-static/ [2] https://clickhouse.tech/docs/en/development/style/#platform -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEESIZn3Pa5datRJo5TOc1XU71dhW8FAl5AolAACgkQOc1XU71d hW9BsBAAjrsvRpWHLyUwFtc8iku6U6mzeOSPPG5WqgzREXBCxbniEYuDRbvUOfr5 C4Ua8y8vzq+x42Hg82PM5hcJErftcSPcQvD1o86Omxb7ZRIkeMcWmfVKcegcOTtm a/4VhUb5RuriC7L8euY6jL7a3v6j047VHZPFO5HYU0OJqL40dBR1zdBcRKw8uJXi GvmB7nJVhdPDGHP+HrE3ke7etyHB0yv8BqiQO/EPeqR3xxok6AdZYcARx/THSskV j8F2G3gOVYjDnDfn2e0J7eGN3ZjjuEIJg6133Fv3sh52akvU/zFT0WEMNkO6L6YZ Ku9uPWZ+1oaTYpqEimRNRTrpth+JqozthlUzFn+wNOxSJuUtu6a4/Qd0RJeYW80b l3Qm83aTSwv5vjMpm09eD6djfD7q6XZ3U+gPrY/Ntc1AxR8R6FuRiozxOYPzR2HA c7JZNm2li7WnoXh5wm5f3rPJo6SfdJRDIfLPAn6gigLed4WRJKE9VCDc8WtCWwcU kbfi9GBD95bd1XqSXf3OGfSaAnc71dXPWr8MV23QFNrmkPbx21+d6AW0CNBTmHpg 6OXLWkJIRMHFxtbdk043Ne/wq05jLnF6+a5adllkwmlnI14auaR2Ud5RUN1Gy6St 7zu07Ozv7yM/Y9+Q154l8r7ivy7+l9tynUs0FGTHjASKSc0vFvY= =Knpg -----END PGP SIGNATURE-----
On February 10, 2020 5:02:08 AM EST, Felixoid via aur-general
Hello, dear TUs and Arch developers.
I'd like to ask relative the package clickhouse-static[1]. The officially supported way to build ClickHouse binaries is static linking[2]. And my question: is it possible that the package with the current building structure (getting contribs like submodules in upstream, static linking etc.) would theoretically come to [community] repository?
Best regards, Mikhail f. Shiryaev
[1] https://aur.archlinux.org/packages/clickhouse-static/ [2] https://clickhouse.tech/docs/en/development/style/#platform
Unlikely, but not really worth the conversation unless a team member wants to add it to the repos. -- Best, Daniel https://danielcapella.com
Tue Feb 11 23:25:09 UTC 2020 Eli Schwartz <eschwartz at archlinux.org>
"upstream recommends using vendored static linking" is not an acceptable reason to violate the packaging guidelines.
The program *must* build using the system versions of the 46 dependencies listed in the -static package, and the pkgname must be "clickhouse", not "clickhouse-static", in order to be moved to community; this is part of the "quality of life" care which defines a Trusted User's job.
Among other things, this ensures that the openssl and libcurl versions used are the latest versions which are tracked on the security tracker and patched with security backports if needed -- something which is understandably important for anything that is communicating over the network.
Also, libxml2 from 2 years ago, which is a bit ouch because xml is not exactly the least-exploited data format ever.
Even linux distributions which build statically by default, will expect that the program link to the system's lib*.a static library packages rather than build a custom one.
Hello Eli, Thank you for the full answer. So, as a conclusion, to fulfill the requirements, every dependency must be added to [community] before the main package, and only after that clickhouse could be added there as well. That's understandable. Maybe, I could try to implement the regular buildings for Arch in the repo and then will bring this topic again. Best regards, Mikhail f. Shiryaev
On 2/10/20 5:02 AM, Felixoid via aur-general wrote:
Hello, dear TUs and Arch developers.
I'd like to ask relative the package clickhouse-static[1]. The officially supported way to build ClickHouse binaries is static linking[2]. And my question: is it possible that the package with the current building structure (getting contribs like submodules in upstream, static linking etc.) would theoretically come to [community] repository?
"upstream recommends using vendored static linking" is not an acceptable reason to violate the packaging guidelines. The program *must* build using the system versions of the 46 dependencies listed in the -static package, and the pkgname must be "clickhouse", not "clickhouse-static", in order to be moved to community; this is part of the "quality of life" care which defines a Trusted User's job. Among other things, this ensures that the openssl and libcurl versions used are the latest versions which are tracked on the security tracker and patched with security backports if needed -- something which is understandably important for anything that is communicating over the network. Also, libxml2 from 2 years ago, which is a bit ouch because xml is not exactly the least-exploited data format ever. Even linux distributions which build statically by default, will expect that the program link to the system's lib*.a static library packages rather than build a custom one. -- Eli Schwartz Bug Wrangler and Trusted User
participants (4)
-
Daniel M. Capella
-
Eli Schwartz
-
Felixoid
-
Mikhail f. Shiryaev