[aur-general] Package Request and/or TU Application

Giancarlo Razzolini grazzolini at archlinux.org
Fri Aug 20 14:05:12 UTC 2021


Em agosto 19, 2021 17:24 Kevin Morris via aur-general escreveu:
> I do like Giancarlo's idea because it would really future proof a lot
> of Python libraries we use; we could just lock versions in
> requirements.txt. It just feels a bit odd that we're splitting between
> two different package managers, especially because we still have to
> depend on several arch packages working properly regardless of the
> Python libraries.
> 
> I think I'm going to in fact commit that in as a new route for Python
> dependencies within a few days; it'll at least remove a dependency on
> unmaintained packages in the future.
> 
> That being said, I'd still vouch for the package in question for
> [community], as it's quite useful and seems like it's been stable
> for long enough in upstream.
> 
> Regardless, thanks for taking a look and replying so quickly!
> 
> Regards,
> Kevin
> 

We can (and should) aim to have everything needed to run the new aurweb on
the repos. Using virtualenvs has the downside of needing to sometimes be
re-created and that can cause issues (we had psycopg issues on archweb).
Also, we need to make sure we don't allow the deps to stale on it.

Still, it allows the rest of the machine to be updated often, and this is
specially important on the aurweb. We have a huge attack surface, it is by
far our most important service to secure, given the SSH and webgit accesses,
and everything else.

I don't want us to have to hold an important kernel, openssh, etc, upgrade,
because it would also bring in a new version of the libraries which would break
the code.

We also had issues with the php aurweb in the past where a new PHP version would
break it, preventing the whole machine from being updated.

Regards,
Giancarlo Razzolini
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20210820/c5fc5cb3/attachment.sig>


More information about the aur-general mailing list