[aur-general] TU application: hashworks

Levente Polyak anthraxx at archlinux.org
Mon Jun 15 17:28:06 UTC 2020

Hi hashworks,

some findings while I looked over your packages:

Tiny side notes:

nothing that really changes but I noticed you added some prefixed
sources like ${pkgname}-${pkgver}.tar.gz:: to github urls, just wanted
to make you aware github understands the following pattern:

I've seen lots of .gitignore that contain "*.tar.*" and thought maybe
worth mentioning the existence of SRCDEST and PKGDEST which IMO is super
handy compared to spitting out stuff into CWD.

I've nearly never seen the distribution of README.md when it contains
some useful bits that may help people in /usr/share/doc/${pkgname} not
like that's a requirement or such, but can sometimes be super useful.

- should distribute the man page it stores in docs by processing it via
  pandoc --standalone --to man docs/brickstrap.md > docs/brickstrap.1

- uses setuptools entry_point so python-setuptools is a first level
  hard dependency
- missing hard requires on python-requests and python-zope-interface
  as used in the modules

- same as certbot-dns-hetzner

- doesn't properly distribute a license declaration but just a comment
  about the json that declares the license type. Please distribute
  something in the licenses folder and ask upstream to provide a license
  file in tree

- downloads all submodules all the time, must be declared in the
  source=() array and the url of the submodules updated to reflect
  the dependencies like f.e. mono does.

- the qmake file doesn't understand CPPFLAGS, you need to add that as a
  workaround to the regular flags to enable fortified sources
- didn't have time, but does PREFIX really need to contain ${pkgdir}?

- should add explicit nepends on zstd as in fact it gets enabled
  automatically and hence is a hard dependency

- project contains the tests via cmake that can be called in check()
  to ensure stuff most likely will work

- does not respect CPPFLAGS nor LDFLAGS leading to unfortified binary
  without full RELRO as namcap also complains
- declares -fno-stack-protector... excuse me? ehm just no :D
- distributes an empty /usr/bin which isn't desired

- same as pam-ihosts

- hmm sources exist and a -git package seems to be possible, why
  not build from source instead? we love sources :)

- same as prismatik-bin, more source more love

- RADME.md looks super useful, maybe worth distributing

- does this really require gumbo-git, it has like 5 more commits since
  2015 compared to repo gumbo-parser. Maybe would make more sense to
  poke some upstream folks to tag a new version instead?
- seems to soon be superseded by zim-tools anyway


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20200615/007af5de/attachment.sig>

More information about the aur-general mailing list