[aur-general] Review of clickhouse-static PKGBUILD

[Mikhail f. Shiryaev]

Tue Feb 11 23:25:09 UTC 2020 Eli Schwartz <eschwartz at archlinux.org>

> "upstream recommends using vendored static linking" is not an acceptable
> reason to violate the packaging guidelines.
>
> The program *must* build using the system versions of the 46
> dependencies listed in the -static package, and the pkgname must be
> "clickhouse", not "clickhouse-static", in order to be moved to
> community; this is part of the "quality of life" care which defines a
> Trusted User's job.
>
> Among other things, this ensures that the openssl and libcurl versions
> used are the latest versions which are tracked on the security tracker
> and patched with security backports if needed -- something which is
> understandably important for anything that is communicating over the
> network.
>
> Also, libxml2 from 2 years ago, which is a bit ouch because xml is not
> exactly the least-exploited data format ever.
>
> Even linux distributions which build statically by default, will expect
> that the program link to the system's lib*.a static library packages
> rather than build a custom one.


Hello Eli,
Thank you for the full answer. So, as a conclusion, to fulfill the
requirements, every dependency must be added to [community] before the
main package, and only after that clickhouse could be added there as well.

That's understandable. Maybe, I could try to implement the regular
buildings for Arch in the repo and then will bring this topic again.

Best regards,
Mikhail f. Shiryaev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20200214/8cb4fe5d/attachment.sig>