[aur-general] [REVIEW REQUEST] python-viivakoodi

Eli Schwartz eschwartz93 at gmail.com
Sun Nov 27 16:10:51 UTC 2016

On 11/27/2016 10:30 AM, Quentin Bourgeois wrote:
> You are right I have remove this, my first goals was to sign my
> PKGBUILD file I don't think its possible ?

No, although the AUR is HTTPS.

If people clone the package instead of downloading the snapshot (several
AUR helpers can be configured to do that), and if they obtain your
public key, they can use git to verify signed commits. Assuming they
know you sign your commits.
But no AUR helper tries to check that... and how would you know which
key to trust?

> Inkscape (or any other tool for SVG handling) is needed if one would
> like to see the result of generated document in SVG format. As there
> could be a long list I am not sure if such dependencies should be put
> into PKGBUILD, even in optdepends ?

Looking at the project README, it just generates an SVG file (and says
you will need a program that opens SVG, like most browsers). It doesn't
fundamentally integrate with Inkscape, and you should not add as a
dependency every single program capable of opening a specific filetype.
In fact, you shouldn't even add one such program. ;)

When it describes "Program to open SVG objects" as a requirement, they
probably shouldn't have listed that in the code requirements, since it
is only a *logical* requirement...

> I add this check in case upstream change for any reason and not break
> the build process. The warning should be enough to let me investigate.
> I generally don't perform operation on resource that could not be
> present, I just applied this here too.

You should catch that when you make the package yourself before pushing
an update to the AUR, since the install command would fail with an error
and makepkg would abort with an error. At least, I assume you consume
your own packages...

As a general rule, do not clutter up the PKGBUILD with things that can
change from version to version unless it is a VCS package and the same
PKGBUILD applies from version to version as new commits are pulled from
the VCS source.
Also, don't make checks like that for things which are really quite
unlikely to change. Why do you think they might do that???

Eli Schwartz

More information about the aur-general mailing list