[aur-general] Fwd: please add -depth 1 to makepkg git clone

William Giokas 1007380 at gmail.com
Sat Apr 6 14:25:20 EDT 2013 

On Sat, Apr 06, 2013 at 11:10:52AM -0700, Tai-Lin Chu wrote:
> >Doesn't matter. cp does nothing with checksums, whereas git will
> >preserve every byte, and it literally can't go bad (or if it does on the
> >extremely off chance, it will simply stop the build). Maybe rsync, you
> >say? That still isn't cryptographically secure. Using git, you can
> >guarantee that the files you are building from are exactly the same as
> >anyone else, which is what we want with makepkg.
> 
> cp and git clone are exactly the same. see cp source code, and if the
> file is corrupted, then you have even bigger problems.
> In general very not likely. (i mean if this happen, 1. kernel has
> problem 2. your disk goes bad)
> stackoverflow confirmed the result.
> http://stackoverflow.com/questions/852561/is-it-safe-to-use-a-copied-git-repo
> 
> >There's minimal point to this. As I've said numerous times, it does not
> >allow you to clone the shallow bare repo, which is what makepkg gets
> >when it fetches git sources.
> 
> aren't we talking about cp....?

Here, run this quick script and see what you can do with it:

  #!/bin/bash
  mkdir -p /tmp/dumb/
  pushd /tmp/dumb/
  echo "==> Cloning into a bare repository..."
  git clone --verbose --bare git://github.com/falconindy/cower.git barerepo
  echo "==> Creating copy of this repo using cp..."
  cp -r -a /tmp/dumb/barerepo /tmp/dumb/barecp
  echo "==> Done"
  echo "==> Creating copy of this repo using git clone..."
  git clone --verbose /tmp/dumb/barerepo barerepocopy
  echo "==> Done"

If you look at the one generated by the 'cp' command you will see that
it is totally missing the actual files, and only contains (duh) the bare
repository files. This is utterly worthless for building, and also, if
there is disk failure, makepkg will still try to build.

Looking into the one generated by the git clone, you'll see that it has
all of the correct files and can actually be built.
                    
>                   
> >If they're all doing it at the same time, cloning fresh repositories,
> >then yes. that may be an issue on some large projects with very terrible
> >servers. Also, if you're worried about server load, mirror the
> >repository yourself so people can gake the load off of the host server.
> >This is the joy of a DVCS.
> 
> I dont have a server, and this is not practical. certainly using git
> pkgbuild with shallow clone is far easier than what you mentioned.

Not at all. See the script above.

!next
-- 
William Giokas | KaiSforza
GnuPG Key: 0x73CD09CF
Fingerprint: F73F 50EF BBE2 9846 8306  E6B8 6902 06D8 73CD 09CF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20130406/b4889003/attachment.asc>

More information about the aur-general mailing list