[aur-general] TU application - bastelfreak

Tim Meusel tim at bastelfreak.de
Thu Oct 22 21:24:13 UTC 2020


Hey,

On 21.10.20 23:41, Jelle van der Waa wrote:
> On 18/10/2020 17:39, Tim Meusel via aur-general wrote:
>> Hi!
>>
>> I'm Tim Meusel and I want to spent more time in the Arch Linux community
>> and increase the package quality. I first got in touch with open source
>> some years ago in the Puppet Community [0] where I started to love
>> Puppet and FOSS. At the moment I'm employed at a big ISP where I
>> maintain a few thousand systems. My solution of choice for configuration
>> management is Puppet because it fulfills all requirements and is easy to
>> extend. For a few projects I require up2date systems with modern
>> software, that's why i choose Arch Linux. Since Puppet was already
>> present in the company, the Arch Linux boxes were puppetized as well. I
>> wrote or contributed to multiple packages related to Puppet on Arch
>> Linux. foxxx0 and shibumi were so kind to continue maintaining them
>> in the official repositories:
> 
> Yay, I like seeing applications who want to help maintain packages which
> are already in our repositories!
> 
> Some notes on your AUR packages:
> 
> * choria-io
>   - 'github.com/choria-io/go-choria/build.BuildDate=$(date '+%F %T %z')'
>     Recording the build date is non reproducible, will give
> reproducibility issues. SOURCE_DATE_EPOCH can be used to make it
> reproducible, see https://reproducible-builds.org/docs/source-date-epoch/

Thanks for the note. I will update the PKGBUILD in the next days and
also want to do some cleanups. It finally builds and all tests pass, but
the PKGBUILD is not yet complete.
> 
>   - systemd unit could have some systemd hardening applied, see the wiki
> or 'man systemd.exec'
> 
> https://wiki.archlinux.org/index.php/Arch_package_guidelines/Security#Systemd_services

thanks for the hint about hardening. To get this working I only copied
the unit file that upstream uses as well (but it's not bundled in the
source code). I will take a look here and see which options make sense
in the unit file and submit them to upstream and the AUR.

> * log4r
>   - Package lacks a license=(), upstream url is no longer valid it seems?

ruby-log4r is a pretty sad project. It's dead since a few years but
still widely used. It's possible to download the gem from rubygems, but
rubygems.org doesn't know the correct license and also has no link to
the sourcecode. Because of that, the PKGBUILD does not properly build
the gem from source and executes the tests. In my opinion this
disqualifies it as an official package. But it's currently a dependency
for r10k. I wanted to ensure I can package r10k properly, and that
required building log4r as well. I'm currently working with the upstream
r10k developers to get rid of log4r as a dependency. Afterwards I can
delete/orphan the log4r package and r10k would be ready for an official
repo.
> 
> * tftp-hpa-destruct
>   - systemd service could use some hardening
>   - how did you obtain the LICENSE file? From their official website?

well, years ago I required a tftp service that deletes files after it
delivered them. tftp-hpa-destruct has such a patch (that upstream didn't
want, which I understand :D). I used the official Arch Linux PKGBUILD
for tftp-hpa as a base. It also ships a dedicated LICENSE file. I've no
intention to ever get this in any email, so I didn't list it in my
initial email.

>   It's interesting it's not in the official tarball :)
> 
> Greetings,
> 
> Jelle
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20201022/b1545307/attachment.sig>


More information about the aur-general mailing list