[aur-dev] Git repos for AUR packages

[Techlive Zheng]

On 14-01-09, Techlive Zheng wrote:
> On 14-01-07, Lukas Fleischer wrote:
> > Hi,
> >
> > I think the idea of integrating Git with the AUR [1] is a very good one
> > and should be a milestone for the 3.0.0 release. The idea is to create a
> > Git repository per package.
> >
> > Pros:
> >
> > * Full history of each AUR package, even if the maintainer changes.
> >
> > * Lays the foundations for supporting multiple maintainers per package.
> >
> > * Makes it easier to contribute patches (see git-format-patch(1),
> >   branches and pull requests).
> >
> > * cgit might do quite a lot of the work required on the front-end side.
> >   PKGBUILD previews, history view, tarball generation, Git clone
> >   support, ...
> >
> > * Updating packages will be easier (`git pull` followed by `makepkg -i`
> >   instead of doing all the work from the web browser or via an AUR
> >   helper).
> >
> > Cons:
> >
> > * Needs more space on the AUR server. Currently, an AUR package uses
> >   ~17KiB on the official Arch Linux AUR server. This will probably
> >   increase by a factor of 10. Shouldn't be too problematic unless we get
> >   a lot of new packages or a lot of updates.
> >
> > * More load on the AUR server. Especially if we no longer store tarballs
> >   but use cgit to generate them on the fly (needs to be discussed).
> >
> > Migration should be easy since we can use a small shell script to
> > convert all packages into Git repositories.
> >
> > The first idea is to slightly change the package submission process to
> > extract the whole tarball, parse the PKGBUILD and do a Git commit with
> > the tarball content. There will be an additional text field to enter a
> > (part of the) commit message that is used. As mentioned above, all
> > package repositories will be accessible via cgit. The PKGBUILD preview
> > (and maybe also the tarball download) will be replaced with a simple
> > link to cgit.
> >
> > Later, we should think of how to support support for git-push(1). The
> > main issues are
> >
> > * Authentication: Virtual accounts, somehow connected to the AUR DB?
> > * Integration of the PKGBUILD/.AURINFO parser: Git hook?
> > * DoS protection: Quotas, ...
> >
>
> I don't think we should support `git-push` at all, the reasons are
> simple:
>
> * Git allows overwriting the history by doing a force push `git push -f`.
>   As a community PKGBUILD publishing platform, the git history of a PKGBUILD
>   should not be allowed to be tampered with, whether accidently or
>   intentionally, it should reflect how the PKGBUILD envloved from the start,
>   not the one someone carefully crafted.
>
> * Changed history will cause conflit on `git pull`, which is not something we
>   want to deal with everyday.
>
> Instead, we should stick on the `src.tar.gz` tarball submitting, and make the
> Git commit on the server.
>
> At least, push access should not be granted to normal user, only to TUs.
>

Also, if we allow normal user to push directly with Git, it will be
harder to do sanity check. One can push anything, not just the packaging
files, but anything, binaries, compressed source/build tarballs, even
files unrelated to Arch packaging at all. These malformed files can
exist not only in the Git HEAD, but can be intentionally hided in the
history, makes it hard to control the space quotas.

We'd better only access 'src.tar.gz' tarball and control the commit
process on the server on our own, so that we can do necessary sanity
check to ensure files to be commited are really what they claim to be.


> > Any comments and suggestions are welcome!
> >
> > Regards,
> > Lukas
> >
> > [1] https://bugs.archlinux.org/task/23010