[aur-dev] Git repos for AUR packages

Techlive Zheng techlivezheng at gmail.com
Thu Jan 9 05:48:39 EST 2014

On 14-01-07, Lukas Fleischer wrote:
> Hi,
> I think the idea of integrating Git with the AUR [1] is a very good one
> and should be a milestone for the 3.0.0 release. The idea is to create a
> Git repository per package.
> Pros:
> * Full history of each AUR package, even if the maintainer changes.
> * Lays the foundations for supporting multiple maintainers per package.
> * Makes it easier to contribute patches (see git-format-patch(1),
>   branches and pull requests).
> * cgit might do quite a lot of the work required on the front-end side.
>   PKGBUILD previews, history view, tarball generation, Git clone
>   support, ...
> * Updating packages will be easier (`git pull` followed by `makepkg -i`
>   instead of doing all the work from the web browser or via an AUR
>   helper).
> Cons:
> * Needs more space on the AUR server. Currently, an AUR package uses
>   ~17KiB on the official Arch Linux AUR server. This will probably
>   increase by a factor of 10. Shouldn't be too problematic unless we get
>   a lot of new packages or a lot of updates.
> * More load on the AUR server. Especially if we no longer store tarballs
>   but use cgit to generate them on the fly (needs to be discussed).
> Migration should be easy since we can use a small shell script to
> convert all packages into Git repositories.
> The first idea is to slightly change the package submission process to
> extract the whole tarball, parse the PKGBUILD and do a Git commit with
> the tarball content. There will be an additional text field to enter a
> (part of the) commit message that is used. As mentioned above, all
> package repositories will be accessible via cgit. The PKGBUILD preview
> (and maybe also the tarball download) will be replaced with a simple
> link to cgit.
> Later, we should think of how to support support for git-push(1). The
> main issues are
> * Authentication: Virtual accounts, somehow connected to the AUR DB?
> * Integration of the PKGBUILD/.AURINFO parser: Git hook?
> * DoS protection: Quotas, ...

I don't think we should support `git-push` at all, the reasons are

* Git allows overwriting the history by doing a force push `git push -f`.
  As a community PKGBUILD publishing platform, the git history of a PKGBUILD
  should not be allowed to be tampered with, whether accidently or
  intentionally, it should reflect how the PKGBUILD envloved from the start,
  not the one someone carefully crafted.

* Changed history will cause conflit on `git pull`, which is not something we
  want to deal with everyday.

Instead, we should stick on the `src.tar.gz` tarball submitting, and make the
Git commit on the server.

At least, push access should not be granted to normal user, only to TUs.

> Any comments and suggestions are welcome!
> Regards,
> Lukas
> [1] https://bugs.archlinux.org/task/23010

More information about the aur-dev mailing list