[arch-dev-public] arch-repo-management walkthrough 2022-02-02 19:00 CET (UTC+01:00)

Allan McRae allan at archlinux.org
Mon Jan 31 14:59:53 UTC 2022

On 1/2/22 00:36, David Runge wrote:
> When looking at svn vs. git approaches the fundamental difference is,
> that with svn we track both the package sources *and* their "location"
> state in the repositories while repo-add/repo-remove is used to
> add/remove things on the fly to the package repository databases.
> While with a future git based setup we would have a package source
> repository per pkgbase and a management repository for
> arch-repo-management which tracks the state of the repositories
> transparently and should allow for atomic operations towards the package
> repository databases (e.g. dbscripts may fail halfway through and leave
> repositories in a bit of an undefined state when e.g. "moving" package
> files from a to b).

Thanks - I finally understand the point of this!

>> Also a couple of quick comments:
>> 1) might as well drop putting the signature into the package database
>> - pacman will not add these be default from next release as the
>> signatures are downloaded alongside the package.  This reduced db size
>> substantially.
> Yes, that is an open topic in the implementation (this was decided after
> I implemented it/ I only got to know of that change after I implemented
> this attribute).
> For me this removal raises the following question which has been
> bothering me a bit and maybe you have an idea how to solve it:
> How would you allow for filtering packages in a repository for a
> particular PGP key? We have had quite a few rebuilds due to invalid
> packager keys or resigning packager keys. It would be great to have this
> in mind, as I believe that e.g. querying all PGP signature files of a
> repository to do so is not very feasible, but maybe this can still live
> on in the proposed management repository as unused "metadata" (e.g. PGP
> ID) of a given pkgbase which is populated upon import of a given
> package/ set of packages.

I assumed we were just grepping packager, because I forgot pacman can 
output the signing keyid from a package signature!

I guess you can store the signature in the json files that are stored in 
VCS.  Maybe you want to do the keyid extraction from the signature when 
adding it to the json file to facilitate easy querying?  There is proto 
code in RFC 4880 for doing this (this is what I used for pacman).  This 
also fits with the package state repository being the source of truth 
and not the pacman database.


More information about the arch-dev-public mailing list