[aur-general] [Announcement] First public git repo of the complete AUR.
Loui Chang
louipc.ist at gmail.com
Sun Feb 6 19:22:56 EST 2011
On Sun 06 Feb 2011 17:52 -0600, Thomas Dziedzic wrote:
> On Sun, Feb 6, 2011 at 4:58 PM, keenerd <keenerd at gmail.com> wrote:
> > On 2/6/11, Loui Chang <louipc.ist at gmail.com> wrote:
> >> You probably want to grab the tarballs, and extract what's in those.
> >> The next release of the AUR will only have tarballs and PKGBUILDs.
> >> The other files won't be extracted.
> >
> > Hey, you are stealing my idea! :-) AUR3 does that, and it saves
> > several hundred megabytes. Completely worth it.
>
> I fail to see how this is worth it, imo, a better system is to convert
> to git and not track the src.tar.gz
>
> Is there a good reason for this switch? To save 450mb is not a good
> reason imo, for an incomplete listing of all the files.
Well, there are several reasons. Lukas' commit message from commit ec0dfc2
briefly summarizes it.
> Automatic tarball extraction was vulnerable in different ways. Users
> should also only use source tarballs to build packages, so this has
> been removed completely. From now on, only the PKGBUILD is extracted
> in a secure manner.
Also,
I'm not really sure that git is the best way to distribute source
packages, but I'm glad that you're exploring different options. :D
If I want to obtain or share a few build scripts for a few packages I
really don't want to keep a 450mb repo.
I have heard about shallow checkouts being implemented in git though, so
maybe it could work. devtools uses subversion at least partially because
of this large checkout issue.
More information about the aur-general
mailing list