Search Criteria
Package Details: gotop 4.0.1-1
Git Clone URL: | https://aur.archlinux.org/gotop.git (read-only, click to copy) |
---|---|
Package Base: | gotop |
Description: | A terminal based graphical activity monitor inspired by gtop and vtop |
Upstream URL: | https://github.com/xxxserxxx/gotop |
Licenses: | |
Submitter: | FabioLolix |
Maintainer: | FabioLolix (serxxx) |
Last Packager: | FabioLolix |
Votes: | 29 |
Popularity: | 1.28 |
First Submitted: | 2018-11-13 17:46 |
Last Updated: | 2020-12-30 15:18 |
Dependencies (2)
- glibc (glibc-git)
- go (go-tip, go-git, go-go2go-git, gcc-go-git, gcc-go) (make)
Latest Comments
1 2 3 Next › Last »
egrupled commented on 2020-03-24 12:38
Because hashes are calculated internally by git.
Code signing on github or elsewhere is a generic topic. To enable verifying signatures in PKGBUILD you need to two things: Add
?signed
after git repo url insource()
array:Add
validpgpkeys()
array:You can take a look at official kernel PKGBUILD how it's done there: https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/linux&id=e95dd7f0bc971d06117aa8642e511291c8131c97
Also here's wiki article that repeats my point about integrity checking: https://wiki.archlinux.org/index.php/PKGBUILD#Integrity
serxxx commented on 2020-03-17 13:16
The recipe you linked to (gotop-git) skips hashes. How is that better than md5sum?
Again, is there a tutorial for this? I haven't seen anything in the documentation I've read that discusses github code signing and how that integrates with aur.
egrupled commented on 2020-03-12 08:59
I didn't talk about signing packages but signing your code in github.
In AUR case you don't build any packages, just publish recipe for that.
egrupled commented on 2020-03-11 20:15
I already advised you to use git if you don't have the time for hash thing. You may take a look at gotop-git (https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=gotop-git) and just use stable tag instead of HEAD.
serxxx commented on 2020-03-10 23:14
Which tutorial should I follow? The one I found and used was saying to use
makepkg -g
.This confuses me; the binaries and the archives containing them are built by an automated CI system. So, what am I supposed to be not trusting here? I don't understand the "accepting whatever you just downloaded" comment.
Signing the packages is easily done, but harder to automate. What I'm having difficulty understanding is that what I think I'm hearing is that someone is actually advocating an entirely manual process for building packages, and that can't be right.
I think a pointer to a best-practices page would be great. Keep in mind that I'm not only upstream, but I'm also trying to help multiple distributions, of which Arch is only one. The fact that I'm an Arch user myself does not lessen the amount of work necessary to package a release, so while I'm happy to follow best practices, it needs to be automate-able.
egrupled commented on 2020-03-07 18:23
@serxxx well, it's not recommended to use
makepkg -g
to calculate hash, especially if you are the upstream. The hashes should be calculated independently, otherwise you are accepting whatever you just downloaded.If you don't care enough for calculating hashes upstream then you may switch to git sources instead of tarballs which use hashes internally. It would be best to sign tags/tarballs with gpg.
See also https://git.archlinux.org/pacman.git/commit/?id=21af79860403f9120d2c0412a95ec97d06368e11
serxxx commented on 2020-03-07 15:49
@egrupled There was no decision; it's what
makepkg -g
andmakepkg --printsrcinfo
produce by default in the official @latest archlinux container. https://hub.docker.com/_/archlinux. I replaced a hand-rolled script with an official tool, and accepted what it generated.Why?
egrupled commented on 2020-03-07 10:01
@serxxx what was the reason behind changing
sha256sum
tomd5sum
in https://aur.archlinux.org/cgit/aur.git/commit/?h=gotop&id=0e5001a04dd82b1f41a54f7f494484a51c57369f ?serxxx commented on 2020-02-23 21:58
Thanks folks. I appreciate the smooth transition.
cjbassi commented on 2020-02-23 19:07
Yeah that sounds fair. It would be good then to switch the upstream in all of the gotop packages. It may also be good to add serxxx as a co-maintainer of the packages. I can add him to gotop-bin but he'll have to request co-maintainership for the other packages.