[aur-general] TU Application: Baptiste Jonglez
eschwartz93 at gmail.com
Mon Nov 28 16:05:06 UTC 2016
On 11/28/2016 06:20 AM, Levente Polyak wrote:
> - you should use git+https:// instead of plain git:// even through the
> CA world is a bit wonky it still authenticates the server and at the
> very bare minimum adds confidentiality.
Now that you mention it, this does seem rather obvious... maybe I should
switch my own AUR packages to do this. It is just as fast, so there is
no real downside.
Now I'm glad I read these threads!
> - #tag= should never be used for git packages, instead store the commit
> hash for the tag and always use the #tag= prefix.
> A named tag does not mean much and you won't even notice when upstream
> changes such. This is especially bad when using plain git:// :-)
Well, I should hope upstream doesn't re-release their tags... if so, you
might have other problems.
Anyway, I would instead suggest that there is no need to pull the source
code for stable releases via git (which for long-lived projects like the
Linux kernel means a *lot* of history to download).
I can barely understand that, in the case of e.g. systemd which uses git
to backport commits. Although really, github allows you to download a
commit as a patch file...
I usually only see that in repo PKGBUILDs. I guess since the devs are
usually the only ones building the package, and the dev keeps the clone
around, it "doesn't matter" that hypothetical others would have to clone
all that history?
But from the repo PKGBUILDs I have seen, it seems to me as though there
is no policy whatsoever... some devs do like you suggest, other devs are
more than happy to use "#tag=$pkgver".
> - just a bit of style, but we have arch specific depends like
> depends_x86_64 which looks better :P
That isn't "style", that is something that *must* be done, for practical
purposes. makepkg --printsrcinfo relies on arch-dependent variables that
are *always* there, in order to actually print truthful values. Also,
arch-dependent sources done properly will allow updpkgsums to properly
update, rather than merging the local *sums_$CARCH into the main
All that matters a lot in the AUR, which depends on .SRCINFO, even if it
doesn't matter so much in the repos which depend on the metadata in a
> - #branch= should never be used for non VCS git packages, instead store
> the commit hash for the tag and always use the #tag= prefix. A named
> branch does not mean much and you won't even notice when upstream
> changes or adds commits to such.
It has a pkgver() function which generates a VCS-style pkgver, and draws
from a #branch= so actually it is a VCS git package. The problem is that
it doesn't say so in the pkgname. :p
More information about the aur-general