[aur-general] TU Application: Baptiste Jonglez
anthraxx at archlinux.org
Mon Nov 28 16:26:25 UTC 2016
On 11/28/2016 05:05 PM, Eli Schwartz via aur-general wrote:
> On 11/28/2016 06:20 AM, Levente Polyak wrote:
>> - #tag= should never be used for git packages, instead store the commit
>> hash for the tag and always use the #tag= prefix.
uuups, you caught me :P My bad! Of cause this should be #commit=
>> A named tag does not mean much and you won't even notice when upstream
>> changes such. This is especially bad when using plain git:// :-)
> Well, I should hope upstream doesn't re-release their tags... if so, you
> might have other problems.
Well I already encountered a re-release at least twice, shame on them!
When using a commit hash you gain basically two things out of the box:
- get aware if wonky upstream changes something
- get an integrity value that a potential attacker must defeat, which
not be the easiest task for a full commit hash (for a short partial
hash there are of cause some PoC's/tools available)
> But from the repo PKGBUILDs I have seen, it seems to me as though there
> is no policy whatsoever... some devs do like you suggest, other devs are
> more than happy to use "#tag=$pkgver".
Well i assume "more happy" just means "able to be more lazy" (without
any offense to anyone!) :P
In fact we already had several discussions in the IRC about this topic
and what I mentioned above was always sufficient to justify getting rid
of it. The only reason we don't yet have a TODO list to switch away from
#tag= is simply lack of time (but its still on my todo list besides
getting a TODO list for git:// sources).
If a remember correctly either heftig or JGC has created a convenience
script to update a PKGBUILDs values, maybe they share it with us :)
>> - just a bit of style, but we have arch specific depends like
>> depends_x86_64 which looks better :P
> That isn't "style", that is something that *must* be done, for practical
> purposes. makepkg --printsrcinfo relies on arch-dependent variables that
> are *always* there, in order to actually print truthful values. Also,
> arch-dependent sources done properly will allow updpkgsums to properly
> update, rather than merging the local *sums_$CARCH into the main
> checksums array.
> All that matters a lot in the AUR, which depends on .SRCINFO, even if it
> doesn't matter so much in the repos which depend on the metadata in a
> built package.
Fair enough... that's a pretty good point why it should be mandatory.
Did not really take the .SRCINFO into account for this particular case.
>> - #branch= should never be used for non VCS git packages, instead store
>> the commit hash for the tag and always use the #tag= prefix. A named
>> branch does not mean much and you won't even notice when upstream
>> changes or adds commits to such.
> It has a pkgver() function which generates a VCS-style pkgver, and draws
> from a #branch= so actually it is a VCS git package. The problem is that
> it doesn't say so in the pkgname. :p
Well yes... and no... though the same while looking at it but at the end
I'm not quite sure what the intention of Baptiste is. As the branch used
is a simple version identifier, I assumed he pretty much wanted to have
a static versioned package.
pkgver() itself does not tell us which one it should be, if you have a
static version package that pulls from a git commit hash you can have a
pkgver() function for convenience.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the aur-general