[aur-general] Review and a bit of other help request

Eli Schwartz eschwartz93 at gmail.com
Fri Mar 17 19:33:32 UTC 2017

On 03/17/2017 02:17 PM, Konstantin Gizdov wrote:
> Hi Eli and Sebastian,
> OK, I see the orphan request got approved. Certainly, wasn't looking to
> draw outrage, but get advice on what the appropriate action. I will update
> the relevant pythia, xrootd and submit deletion request myself for the
> others.

Thanks for fixing this yourself. It was less about outrage and more
about being extra-emphatic about what is and isn't appropriate. :)

I save the outrage/abuse for people who have already been told what the
right thing is, and refuse to listen. Everyone makes mistakes, and that
is generally okay as long as it was done in good faith and, upon
realizing the mistake, fixing it.

> As to the package signing, I already know how to detach sign. I also know
> about the source signing. What is not clear to me is repo-add --sign. The
> docs say it will update 'the package database'. Which package database?
> Does AUR keep such info? I though that was for Trusted Users and official
> repos.
> What I want to do is essentially to provide a convenient way for people to
> build or directly download pre-built packages, if they choose to, and be
> able to verify them, without too much hassle. What do you recommend? Should
> I just make a *-bin version on AUR with my signature and detach sign the
> binaries on my own repo? I thought this was also not the AUR way?
> Could I get someone's workflow for signed packages as an example?

No, this is entirely separate from the AUR. See the Wiki page for
"Unofficial user repositories".

Various members of the community host their own prebuilt packages on
their personal servers or whatever, for example, AUR packages that they
use and want to sync on multiple computers, or something that takes a
long compile time and they want to offer in addition to the AUR package.

`repo-add --sign` will allow you to generate a pacman-compatible sync
repository that can be copied/rsynced to your personal server and then
added to pacman.conf to download from your server, while signing the
database itself (it is ideal to sign both the packages, via `makepkg
--sign`, and the sync database itself).

Eli Schwartz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20170317/0c8e1a38/attachment-0001.asc>

More information about the aur-general mailing list