I hate software like this. It's a nightmare to package.
]]>I cringed on seeing a 'curl' in the build function that bypasses makepkg's checksum
Yea, and also, dependencies are not defined, so it's not really a good alternative to leiningen.
In either case, leiningen is what really needs to be fixed, in my view, because that's what the github wiki points to: https://github.com/technomancy/leiningen/wiki/Packaging
And I think I know the perfect way to do it: Instead of drawing from the floating stable, why not simply draw from a specific commit in stable?
That seems like a perfect solution, because that's essentially a snap-shot, which won't change until the package maintainer decides to update the pkgbuild.
What do you think?
]]>If you want to avoid this, you should use the -git version.
I looked at that (I assume you mean leiningen2-git), and I was surprised to find out that it actually gets the sources from stable (just like leiningen).
I think leiningen should draw from stable (without sha1sums, just like current leiningen2-git), and then leiningen-git should draw from master.
Doesn't that make more sense? It would also avoid these "outdated" issues.
I was just trying to understand the reasoning behind the current setup, but, my problem is now solved, so I'll mark the thread accordingly.
Thanks everyone.
]]>That's what I meant - When the stable branch is updated.
And in that way it is like every other package in the aur. If/when the upstream source changes, the PKGBUILD has to be updated. If you want to avoid this, you should use the -git version.
]]>no the sha1sums will not be wrong "whenever the git repo updates" but only when the stable branch is updated. And the use of that source is just like the use of any other upstream source - the package maintainer is not pointing to the git repo generally but only to a particular stable branch of it.
That's what I meant - When the stable branch is updated.
I think perhaps you are just trying to use the wrong package. Perhaps you really want leiningen2-git?
... No.
I want to use the stable, but I can't, because of the problems already outlined.
]]>I think perhaps you are just trying to use the wrong package. Perhaps you really want leiningen2-git?
]]>Read the last comment https://aur.archlinux.org/packages/leiningen/ made by the current maintainer.
Yes, I noticed his last comment, and I understood (I think). However, I don't see how it implies a solution for my current problem.
]]>It's not a "snap-shot" that was generated by the maintainer, as a "known to be good" copy. So, doesn't that imply that he trusts the source as "good"?
Read the last comment https://aur.archlinux.org/packages/leiningen/ made by the current maintainer.
]]>source=('https://raw.github.com/technomancy/leiningen/stable/bin/lein')
It's not a "snap-shot" that was generated by the maintainer, as a "known to be good" copy. So, doesn't that imply that he trusts the source as "good"?
Unless the PKGBUILD is re-generated whenever the git repo updates, the sha1sums will always be outdated.
If this is something that cannot, or should not be automated, then what should the user do (assuming that I can't, or otherwise don't want to wait for the maintainer to update)?
]]>And what do you mean about it being a trusted repo? PKGBUILDs don't get updated automatically - they are updated when the maintainer updates them. This can be triggered by the maintainer being informed that such a problem exists.
]]>Also, I guess it would be a good idea to leave a comment for the maintainer, to update the file?
But again, going back to my original question: If the repo is trusted, why isn't PKGBUILD updated automatically?
I mean, with an active project like leiningen, that seems like a necessity, in order to avoid these issues.
]]>==> Making package: leiningen 1:2.2.0-1 (Sat Aug 17 02:23:47 CEST 2013)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Downloading lein...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 11440 100 11440 0 0 18067 0 --:--:-- --:--:-- --:--:-- 18101
==> Validating source files with sha1sums...
lein ... FAILED
==> ERROR: One or more files did not pass the validity check!
when using pure makepkg.
]]>==> Building and installing package
==> Making package: leiningen 1:2.2.0-1 (Fri Aug 16 19:48:01 EDT 2013)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Downloading lein...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 11440 100 11440 0 0 65861 0 --:--:-- --:--:-- --:--:-- 66127
==> Validating source files with sha1sums...
lein ... FAILED
==> ERROR: One or more files did not pass the validity check!
==> ERROR: Makepkg was unable to build leiningen.
Now, I did do some research, and it seems that if I do:
makepkg -g
That will give me the current sha, but I'm reluctant to use it:
If the github repo is trusted (which seems to be the case), why isn't the PKGBUILD updated automatically?
I'm guessing there must be a good reason, and I would like to clear that up before I continue.
Thanks.
]]>