You are not logged in.
I would like to create a package that checks out a versioned tag of a repository.
I can use the following syntax to get that tag:
source=("git+https://github.com/xxx/${_gitname}.git#tag=v${pkgver}")
sha256sums=('SKIP')
However, this doesn't guarantee that every build is the same, as the tag could be changed by the owners of the repository.
Ideally, I would like to put the commit-sha as checksum, so that makepkg could verify that I ended up with the correct commit.
Is there a way to do this nicely?
Last edited by priorit (2022-01-09 16:18:39)
Offline
Use the commit fragment instead of tag.
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Offline
I would have preferred to use the tag in the checkout and use the commit as a checksum (ideally letting `makepkg -g` update the commit-hash).
Doesn't seem to exist yet, so using `commit` is probably the next best thing.
Offline
I feel like I must be missing something. Why would you want to use a checkout url that can sometimes get you something other than what you intended and add steps to detect when this failure occurred rather than using a checkout url that will consistently get you exactly what you intended?
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
By the way, here is a command to quickly get the commit id of a tag:
url="https://github.com/torvalds/linux/"
tag="v5.15"
git ls-remote -q --tags "$url" "$tag" | cut -f1
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
Why would you want to use a checkout url that can sometimes get you something other than what you intended and add steps to detect when this failure occurred rather than using a checkout url that will consistently get you exactly what you intended?
When packaging a version I want to download the Git sources that are tagged with that version number. That's the intent and that's how I would like to write it. It is also less error-prone as I can't accidentally put the wrong commit in my PKGBUILD.
Furthermore, having a source of the form "git+https://github.com/xxx/${_gitname}.git#tag=v${pkgver}" means that I only need to update the pkgver at the top, which simplifies maintenance of the package. If makepkg could update the hash (-g) then publishing an updated package would be as simple as for normal source packages.
Offline
You can write your own packaging helpers. Here is a quick script to do the job for a PKGBUILD that has _tag, _repo, and _commit variables. You could get even fancier and have a script that takes the new version number as a parameter or even fetches it automatically from some upstream announcement or so.
#!/bin/bash
function die() {
echo "$@"
exit 1
}
[ -f PKGBUILD ] || die "Could not find PKGBUILD"
tag="$(sed -n 's/^_tag="\?\([^"]*\)"\?.*$/\1/p' PKGBUILD)"
repo="$(sed -n 's/^_repo="\?\([^"]*\)"\?.*$/\1/p' PKGBUILD)"
commit="$(git ls-remote -q --tags "$repo" "$tag" | cut -f1 | tr -cd a-zA-Z0-9 )"
if [[ -z $commit ]] ; then
die "could not find commit id for tag $tag on $repo"
else
sed -i "s/^_commit=.*$/_commit=$commit/" PKGBUILD
updpkgsums
fi
pkgname=example
url="https://example.com"
_tag="v5.15"
_repo="https://github.com/torvalds/linux.git"
_commit=ABh84jdi58hjzh3
# create version from git tag
pkgver="${_tag#v}"
pkgrel=1
source=("git+$_repo#commit=$_commit")
sha256sums=('SKIP')
# [...]
echo "debug output for testing" >&2
echo "pkgver: $pkgver" >&2
echo "source: ${source[@]}" >&2
# package(), bulid(), ... comes here
Last edited by progandy (2022-01-09 18:54:40)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
Thanks. I think that's what I'm going to do.
If others think that supporting git hashes directly in makepkg would be a good idea, I could have a look at that as well.
Offline