[aur-general] Review and a bit of other help request

Konstantin Gizdov arch at kge.pw
Thu Mar 23 01:53:08 UTC 2017

Hi again,

So I updated xrootd and pythia and submitted the relevant deletion
requests. Now, can I get some package reviews? Thanks.


On Fri, Mar 17, 2017 at 9:33 PM, Eli Schwartz via aur-general <
aur-general at archlinux.org> wrote:

> On 03/17/2017 02:17 PM, Konstantin Gizdov wrote:
> > Hi Eli and Sebastian,
> >
> > OK, I see the orphan request got approved. Certainly, wasn't looking to
> > draw outrage, but get advice on what the appropriate action. I will
> update
> > the relevant pythia, xrootd and submit deletion request myself for the
> > others.
> Thanks for fixing this yourself. It was less about outrage and more
> about being extra-emphatic about what is and isn't appropriate. :)
> I save the outrage/abuse for people who have already been told what the
> right thing is, and refuse to listen. Everyone makes mistakes, and that
> is generally okay as long as it was done in good faith and, upon
> realizing the mistake, fixing it.
> > As to the package signing, I already know how to detach sign. I also know
> > about the source signing. What is not clear to me is repo-add --sign. The
> > docs say it will update 'the package database'. Which package database?
> > Does AUR keep such info? I though that was for Trusted Users and official
> > repos.
> >
> > What I want to do is essentially to provide a convenient way for people
> to
> > build or directly download pre-built packages, if they choose to, and be
> > able to verify them, without too much hassle. What do you recommend?
> Should
> > I just make a *-bin version on AUR with my signature and detach sign the
> > binaries on my own repo? I thought this was also not the AUR way?
> >
> > Could I get someone's workflow for signed packages as an example?
> No, this is entirely separate from the AUR. See the Wiki page for
> "Unofficial user repositories".
> Various members of the community host their own prebuilt packages on
> their personal servers or whatever, for example, AUR packages that they
> use and want to sync on multiple computers, or something that takes a
> long compile time and they want to offer in addition to the AUR package.
> `repo-add --sign` will allow you to generate a pacman-compatible sync
> repository that can be copied/rsynced to your personal server and then
> added to pacman.conf to download from your server, while signing the
> database itself (it is ideal to sign both the packages, via `makepkg
> --sign`, and the sync database itself).
> --
> Eli Schwartz

More information about the aur-general mailing list