On 1/2/22 00:36, David Runge wrote:
<snip>
When looking at svn vs. git approaches the fundamental difference is,
that with svn we track both the package sources *and* their "location"
state in the repositories while repo-add/repo-remove is used to
add/remove things on the fly to the package repository databases.
While with a future git based setup we would have a package source
repository per pkgbase and a management repository for
arch-repo-management which tracks the state of the repositories
transparently and should allow for atomic operations towards the package
repository databases (e.g. dbscripts may fail halfway through and leave
repositories in a bit of an undefined state when e.g. "moving" package
files from a to b).
Thanks - I finally understand the point of this!
Also a couple of quick comments:
1) might as well drop putting the signature into the package database
- pacman will not add these be default from next release as the
signatures are downloaded alongside the package. This reduced db size
substantially.
Yes, that is an open topic in the implementation (this was decided after
I implemented it/ I only got to know of that change after I implemented
this attribute).
For me this removal raises the following question which has been
bothering me a bit and maybe you have an idea how to solve it:
How would you allow for filtering packages in a repository for a
particular PGP key? We have had quite a few rebuilds due to invalid
packager keys or resigning packager keys. It would be great to have this
in mind, as I believe that e.g. querying all PGP signature files of a
repository to do so is not very feasible, but maybe this can still live
on in the proposed management repository as unused "metadata" (e.g. PGP
ID) of a given pkgbase which is populated upon import of a given
package/ set of packages.
I assumed we were just grepping packager, because I forgot pacman can
output the signing keyid from a package signature!
I guess you can store the signature in the json files that are stored in
VCS. Maybe you want to do the keyid extraction from the signature when
adding it to the json file to facilitate easy querying? There is proto
code in RFC 4880 for doing this (this is what I used for pacman). This
also fits with the package state repository being the source of truth
and not the pacman database.
Allan
