[aur-general] AUR4, git, subtrees ELI5?

David Kaylor dpkaylor at gmail.com
Fri Jun 12 10:42:30 UTC 2015

On Fri, Jun 12, 2015 at 5:34 AM, Lukas Fleischer <lfleischer at archlinux.org>

> No. It also does not register a new AUR account or setup your Internet
> connection. It submits packages to the AUR. As I said before, generating
> and adding the key is a tiny one-time process and automating it doesn't
> pay off.

Agreed, it's trivial.

> * We would have to reintroduce the Archive::Tar library which we had
>   several issues with in the past and were very happy to get rid of.
> * You need to be very careful when extracting tarballs. It is quite easy
>   to build ZIP bombs. This is one of the reasons we only extracted the
>   PKGBUILD (and no other files) when the AUR submissions still required
>   uploading source tarballs. What you suggest would require extracting
>   everything, though.
> * We would have to create checkouts for the Git repositories that are
>   submitted via tarballs. We put a lot of time into making the storage
>   as space efficient as possible, using a shared object storage with
>   gitnamespaces. We can currently store the ~10000 packages uploaded so
>   far with <40MB disk usage. Creating checkouts would mean that this
>   increases by a factor of ~20. Creating and destroying checkouts on the
>   fly is also quite ugly and something I would like to avoid.

> * The AUR web interface is written in PHP, the Git backend is written in
>   Python. We would either have to duplicate all the sanity checks or
>   create some weird interface between the tools that involves reading
>   and converting error messages from the standard file descriptors.

Agreed, sounds like it's non-trivial, and not maintainable.

> Also, I do not understand all the fuss about Git. We don't expect people
> to be a Git expert. There are a lot of tutorials and there are detailed
> explanations in the Arch wiki. You should be able to submit a package by
> only copy-pasting snippets from the wiki without even understanding what
> is going on.
> If people really refuse to learn the five most basic Git commands, they
> better don't maintain any AUR packages. Maintaining packages means that
> you are willing to understand basic packaging and VCS tools. Tracking
> down issues with a package often involves using the upstream VCS and
> nowadays, most projects use Git.

Yep, agreed. Time to learn, and in any case, not that difficult.

> It is expected (and intended) that some (hopefully not too many) AUR
> package maintainers back out due to the new system. It is also intended
> that a huge number of packages is not imported into the new AUR and
> anything that automatically transfers packages is undesirable. We only
> want users to resubmit their stuff if they want to take care of it in
> the future. Think of it as a huge AUR cleanup.

And finally, you state your position; cull the herd. Again, I don't
disagree, but it's usually best to state intentions from the very
beginning. So make sure that statement is at the very head of the wiki
related to the transition to AUR4. "Basic working knowledge of Git is
expected of all AUR package maintainers. Otherwise, sod off."

More information about the aur-general mailing list