Does anyone find it odd that the non-VCS PKGBUILDs explicitly check to make sure the sources have not changed and that the PKGBUILD someone uses is actually going to build the package the maintainer wrote it for, yet, VCS PKGBUILDs don't? VCS sources may change frequently, but this does not make them more secure and requiring of less scrutiny than non-VCS packages. If anything, they probably should be more scrutinized, since it would be more likely for someone to make a troublesome commit than a troublesome official release. There is also the issue that by automatically grabbing new sources without completely updating the PKGBUILD, many PKGBUILD fields may be incorrect, not just the pkgver. If the license a package is released under changes, the PKGBUILD won't care, etc.. Rather than making an often failed attempt to automatically update the pkgver and ignoring the rest of the PKGBUILD fields, why not have VCS PKGBUILDs behave more like all the other PKGBUILDs. When PKGBUILD sources change, a maintainer should have to update the PKGBUILD and PKGBUILDs which try to build using sources that don't match the PKGBUILD should fail. Figuring out the best way to check sources for all VCSs may require some creativity, but at least git would be really simple: check the hash for the last commit. Also, instead of using the date for the pkgver field of a VCS PKGBUILD, have the pkgver reflect the most recent release that the given development package is based off of. Then, use a commit field to show how many commits ahead of that release a package is. These fields would make it more clear what exactly the PKGBUILD is a PKGBUILD for. If there is no release to use commits since, the field could be left blank. This avoids ambiguity caused by different sources of a development project being released on the same day as well as issues with the sometimes significant difference between when a commit is authored and actually committed. -- David Campbell
On 18/04/10 13:39, David Campbell wrote:
Does anyone find it odd that the non-VCS PKGBUILDs explicitly check to make sure the sources have not changed and that the PKGBUILD someone uses is actually going to build the package the maintainer wrote it for, yet, VCS PKGBUILDs don't?
<snip> That may be considered a feature... I have a git PKGBUILD for makepkg and basically never need to adjust it but always have the latest version when I build it. Anyway, we know that the whole VCS PKGBUILD thing is a bit crap and there are half a dozen bug reports about areas that need fix. See http://wiki.archlinux.org/index.php/User:Allan/Makepkg_VCS_overhaul to add ideas on how we can fix the whole thing. Allan
On Sun, Apr 18, 2010 at 5:39 AM, David Campbell <davekong@archlinux.us> wrote:
Does anyone find it odd that the non-VCS PKGBUILDs explicitly check to make sure the sources have not changed and that the PKGBUILD someone uses is actually going to build the package the maintainer wrote it for, yet, VCS PKGBUILDs don't?
VCS sources may change frequently, but this does not make them more secure and requiring of less scrutiny than non-VCS packages. If anything, they probably should be more scrutinized, since it would be more likely for someone to make a troublesome commit than a troublesome official release.
There is also the issue that by automatically grabbing new sources without completely updating the PKGBUILD, many PKGBUILD fields may be incorrect, not just the pkgver. If the license a package is released under changes, the PKGBUILD won't care, etc..
Rather than making an often failed attempt to automatically update the pkgver and ignoring the rest of the PKGBUILD fields, why not have VCS PKGBUILDs behave more like all the other PKGBUILDs. When PKGBUILD sources change, a maintainer should have to update the PKGBUILD and PKGBUILDs which try to build using sources that don't match the PKGBUILD should fail.
Figuring out the best way to check sources for all VCSs may require some creativity, but at least git would be really simple: check the hash for the last commit.
Also, instead of using the date for the pkgver field of a VCS PKGBUILD, have the pkgver reflect the most recent release that the given development package is based off of. Then, use a commit field to show how many commits ahead of that release a package is. These fields would make it more clear what exactly the PKGBUILD is a PKGBUILD for. If there is no release to use commits since, the field could be left blank. This avoids ambiguity caused by different sources of a development project being released on the same day as well as issues with the sometimes significant difference between when a commit is authored and actually committed. -- David Campbell
A quick answer to say these are all good points imo. However, the "automatic bump" is also a good feature to have. We should have both and just decide for a default. When makepkg started to bump automatically the version, some people quickly reclaimed the need to hold the version, and that option was introduced : --holdver Prevent automatic version bumping for development PKGBUILDs However this only works for cvs , which sets pkgver to a date and can checkout a date, and svn which sets pkgver to a revision and can checkout a revision. The support for all VCS other than cvs and svn is desperately dumb. The second biggest difference between cvs/svn and the rest, that accounts for a lot of suckage with the other VCS, is the inability to query remotely the latest revision/version. We need to download/pull the code first.
The second biggest difference between cvs/svn and the rest, that accounts for a lot of suckage with the other VCS, is the inability to query remotely the latest revision/version. We need to download/pull the code first.
This is not true for git. $ git ls-remote git://projects.archlinux.org/pacman.git | grep HEAD Yannick LM
On 18/04/10 20:43, Yannick LM wrote:
The second biggest difference between cvs/svn and the rest, that accounts for a lot of suckage with the other VCS, is the inability to query remotely the latest revision/version. We need to download/pull the code first.
This is not true for git.
$ git ls-remote git://projects.archlinux.org/pacman.git | grep HEAD
It is an issue with mercurial. Allan
On Sun, Apr 18, 2010 at 12:48 PM, Allan McRae <allan@archlinux.org> wrote:
On 18/04/10 20:43, Yannick LM wrote:
The second biggest difference between cvs/svn and the rest, that accounts for a lot of suckage with the other VCS, is the inability to query remotely the latest revision/version. We need to download/pull the code first.
This is not true for git.
$ git ls-remote git://projects.archlinux.org/pacman.git | grep HEAD
It is an issue with mercurial.
Allan
That's interesting anyway. I didn't even know if was possible with git, and git is the vcs I know the best :P It might be worth to write down a summary of all VCS and their features/commands relevant to makepkg in that wiki page. Because I still think that's the main cause of all current problems.
participants (4)
-
Allan McRae
-
David Campbell
-
Xavier Chantry
-
Yannick LM