You are not logged in.

#1 2020-12-25 21:19:45

nd925a
Member
Registered: 2017-01-30
Posts: 43

PKGBUILD Review request: maxflow

Hello,

I made this:

https://github.com/nd925a/arch_pkgbuild … in/maxflow

I was hoping someone could look over it for me.
I've never made a PKGBUILD before, but it was a thing for gimp in the gtk2 todo list so I'd like to throw it in the aur cause it was hard to find.

Thanks.

P.S. What I did with gimp, gegl, and babl are all in that same repo, but I'm not confident on what I did with those and gimp-devel is already in the aur.

Offline

#2 2020-12-25 21:39:57

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,461

Re: PKGBUILD Review request: maxflow

I really have no idea what you're talking about with gimp and gtk2, but I'll check over the PKGBUILD anyway

The 'arch' is wrong. Any means that the built package can be installed on any architecture, usually scripts, fonts, etc. This is cpp and the binary will be architecture specific.
The URL seems wrong. I really doubt that's the upstream URL.
The license is wrong. See the PKGBUILD wiki page for more info
The source file needs to be renamed on download. $pkgver.tar.gz is much too generic and can clash with other packages.
Don't skip the checksum.
You CANNOT use sudo in the package function. As it is, this builds a totally empty package as there's nothing in $pkgdir after the package function is run. See for yourself, pacman -Qlp <packagefile> will show nothing. You need to be installing things into $pkgdir, not directly into the filesystem with sudo.

Offline

#3 2020-12-28 12:31:44

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,867

Re: PKGBUILD Review request: maxflow

A hint : https://github.com/gerddie/maxflow looks like a good choice for url field.


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Online

#4 2020-12-28 19:55:52

nd925a
Member
Registered: 2017-01-30
Posts: 43

Re: PKGBUILD Review request: maxflow

Thanks for looking this over.

Scimmia wrote:

I really have no idea what you're talking about with gimp and gtk2, but I'll check over the PKGBUILD anyway

https://archlinux.org/todo/gtk-2-eol/

Scimmia wrote:

The 'arch' is wrong. Any means that the built package can be installed on any architecture, usually scripts, fonts, etc. This is cpp and the binary will be architecture specific.

Sorry, I thought C was fairly universal. Changed it to x86_64

Scimmia wrote:

The URL seems wrong. I really doubt that's the upstream URL.

Lone_Wolf wrote:

A hint : https://github.com/gerddie/maxflow looks like a good choice for url field.

Thanks. I used the one I did because the upstream website listed in the readme was dead and I wasn't sure if it was appropriate to point at github here.

Scimmia wrote:

The license is wrong. See the PKGBUILD wiki page for more info

It states in the README that it is GPL. And includes a copy of GPL v3 from 07. https://github.com/gerddie/maxflow/blob/master/GPL.TXT
I looked over the License section, but I'm not sure what I did wrong.

Scimmia wrote:

The source file needs to be renamed on download. $pkgver.tar.gz is much too generic and can clash with other packages.

Done, I think, copied from another package in the aur.

Scimmia wrote:

Don't skip the checksum.

I did because the original author doesn't provide one and I thought that was the thing to do. I put in a checksum I ran on the file after downloading, redownloaded and tested. Not sure if that's better or not though.

Scimmia wrote:

You CANNOT use sudo in the package function. As it is, this builds a totally empty package as there's nothing in $pkgdir after the package function is run. See for yourself, pacman -Qlp <packagefile> will show nothing. You need to be installing things into $pkgdir, not directly into the filesystem with sudo.

That explains why makepkg was failing without asking for a password. Thanks for clarifying that.

Offline

#5 2020-12-28 20:34:59

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: PKGBUILD Review request: maxflow

nd925a wrote:

Thanks for looking this over.

Scimmia wrote:

I really have no idea what you're talking about with gimp and gtk2, but I'll check over the PKGBUILD anyway

https://archlinux.org/todo/gtk-2-eol/

No one is getting rid of gtk2 any time soon.

nd925a wrote:
Scimmia wrote:

The 'arch' is wrong. Any means that the built package can be installed on any architecture, usually scripts, fonts, etc. This is cpp and the binary will be architecture specific.

Sorry, I thought C was fairly universal. Changed it to x86_64

That's not what architecture-specific means. See https://wiki.archlinux.org/index.php/PKGBUILD#arch

ELF executables compiled from universal C to intel 64-bit machine code cannot be run on ppc64le or aarch64 or armv7h or ...
They need to be recompiled from source.

nd925a wrote:
Scimmia wrote:

The license is wrong. See the PKGBUILD wiki page for more info

It states in the README that it is GPL. And includes a copy of GPL v3 from 07. https://github.com/gerddie/maxflow/blob/master/GPL.TXT
I looked over the License section, but I'm not sure what I did wrong.

I guess you did not see:

the fine wiki wrote:

(L)GPL has many versions and permutations of those versions. For (L)GPL software, the convention is:

  • (L)GPL — (L)GPLv2 or any later version

  • (L)GPL2 — (L)GPL2 only

  • (L)GPL3 — (L)GPL3 or any later version

"And includes a copy of GPL v3."

So, you are using the license metadata "GPL2 or any later version" for a "GPL3 or any later version" package; this is incorrect.

nd925a wrote:
Scimmia wrote:

Don't skip the checksum.

I did because the original author doesn't provide one and I thought that was the thing to do. I put in a checksum I ran on the file after downloading, redownloaded and tested. Not sure if that's better or not though.

The primary purpose of checksums is to prevent errors like "due to network issues, only half the file got downloaded and now fails to extract properly". md5sums is fine for this despite providing no "security". You MUST, per policy, use checksummed sources for this reason alone.

That being said, Trust on First Use (TOFU) is relevant here, so you might wish to use something stronger than md5sums.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#6 2020-12-28 20:44:04

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: PKGBUILD Review request: maxflow

==> Making package: maxflow 3.0.5-1 (Mon 28 Dec 2020 08:42:20 PM)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found maxflow-3.0.5.tar.gz
==> WARNING: Skipping all source file integrity checks.
==> Extracting sources...
  -> Extracting maxflow-3.0.5.tar.gz with bsdtar
==> Starting build()...
/startdir/PKGBUILD: line 15: cmake: command not found
==> ERROR: A failure occurred in build().
    Aborting...
==> ERROR: Build failed, check /var/lib/archbuild/extra-x86_64/builduser/build

Missing makedepends and depends.

Offline

#7 2020-12-29 00:37:06

nd925a
Member
Registered: 2017-01-30
Posts: 43

Re: PKGBUILD Review request: maxflow

eschwartz wrote:

No one is getting rid of gtk2 any time soon.

Didn't figure they were, it's not important.

eschwartz wrote:

ELF executables compiled from universal C to intel 64-bit machine code cannot be run on ppc64le or aarch64 or armv7h or ...
They need to be recompiled from source.

It's a library that's being built directly from it's C source. So in theory it should work on any architecture? or are there idiosyncrasies that are architecture specific within C?

eschwartz wrote:

I guess you did not see:

the fine wiki wrote:

(L)GPL has many versions and permutations of those versions. For (L)GPL software, the convention is:

  • (L)GPL — (L)GPLv2 or any later version

  • (L)GPL2 — (L)GPL2 only

  • (L)GPL3 — (L)GPL3 or any later version

"And includes a copy of GPL v3."

So, you are using the license metadata "GPL2 or any later version" for a "GPL3 or any later version" package; this is incorrect.

I did there was a PEBKAC issue that resolved itself after another readthrough.

eschwartz wrote:

The primary purpose of checksums is to prevent errors like "due to network issues, only half the file got downloaded and now fails to extract properly". md5sums is fine for this despite providing no "security". You MUST, per policy, use checksummed sources for this reason alone.

That being said, Trust on First Use (TOFU) is relevant here, so you might wish to use something stronger than md5sums.

I did understand the purpose of checksums, and had used Sha256 when I did it. I'd seen a few examples of the checksum being skipped which is why I thought it was a thing.
Is sha256 sufficient?
TOFU mostly makes sense in a it sounds like a guiding concept for ssh handshakes type way. Though I'm not sure how that applies to checksums other than that they are a double check of a file transfer.

Offline

#8 2020-12-29 00:38:07

nd925a
Member
Registered: 2017-01-30
Posts: 43

Re: PKGBUILD Review request: maxflow

loqs wrote:

Missing makedepends and depends.

Thanks for catching that. Added cmake as a makedepend and remembered to run it through a clean chroot.

Offline

#9 2020-12-29 00:46:59

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,461

Re: PKGBUILD Review request: maxflow

nd925a wrote:

It's a library that's being built directly from it's C source. So in theory it should work on any architecture? or are there idiosyncrasies that are architecture specific within C?

The point that you're missing is that this is the architecture that gets put on the built package. 'any' means that the final, binary package can be installed on any architecture, ie, you can build it on x86_64 then install that on an armv6 system.

Offline

#10 2020-12-29 01:08:08

nd925a
Member
Registered: 2017-01-30
Posts: 43

Re: PKGBUILD Review request: maxflow

Scimmia wrote:

The point that you're missing is that this is the architecture that gets put on the built package. 'any' means that the final, binary package can be installed on any architecture, ie, you can build it on x86_64 then install that on an armv6 system.

Oh, so I would need to list out the architectures and it picks out which one it's building on.

Offline

Board footer

Powered by FluxBB