Arch Linux

dreieck

Member

Registered: 2012-10-08

Posts: 28

PKGBUILD: Is source download in build() into $HOME/... OK?

Ahoj,

I see that a lot of packages in the AUR, that use rust (`cargo`) or `go` or `npm`, download

• dependencies e.g. via `cargo` or `go` during `build()` and

• into some subdirectory of the build user's home directory (e.g. `~/.cargo/`).

I want to ask if this is OK?

As I understand it, `build()` and `package()` should be able to run without internet access if possible, and so it would be good to move the downloads which cannot be put into the `source` array into `prepare()`.
This is practise I do.

I want to ask if this is desired? If so, I might upgrade the Go, Node.js and Rust packages guidelines in the Arch Wiki.

Also, is it OK that the stuff is downloaded into some subdirectory of the build user's home directory? As I understand it, package build should be self-contained within `$srcdir` and `$pkgdir` and must not do anything outside those directories. Does it also apply here? With rust packages, this can e.g. be enforced by setting `$CARGO_HOME` to `$srcdir/cargo` in the `PKGBUILD`.

Is this desired? If so, I might upgrade the Node.js and Rust packaging guidelines in the Arch Wiki. With Go packages, I am not sure yet how to achieve this completely; I had some package where I played with `$GOPATH` and it resulted in some dependencies going to the set location, and some still going to `~/.go`. I would need advice in this case.

In the Node.js package guidelines, there is already something saying to download to a subfolder of `$srcdir` to not clutter `$HOME`.

Regards!

Last edited by dreieck (2023-05-06 09:25:01)

Lone_Wolf

Member

From: Netherlands, Europe

Registered: 2005-10-04

Posts: 10,973

Re: PKGBUILD: Is source download in build() into $HOME/... OK?

and so it would be good to move the downloads which cannot be put into the `source` array into `prepare()`.

The rust package guidelines already achive that by using cargo --frozen in build() and check()  (package()  doesn't seem to use cargo) .

Also, is it OK that the stuff is downloaded into some subdirectory of the build user's home directory? As I understand it, package build should be self-contained within `$srcdir` and `$pkgdir` and must not do anything outside those directories.

Many users (including me) set SRCDEST in makepkg.conf to store downloaded sources somewhere in their $HOME to avoid re-downloading sources every time you build a package.
The commands from devtools that build in a clean chroot do use that env var and others from that same makepkg.conf section .

[EDIT]
Or do you mean that there is code inside PKGBUILDS that explicitly stores stuff under $HOME ?
[end-of-edit]

I have very little experience with node & go (and do my best to keep it that way) so can't comment on them.

Last edited by Lone_Wolf (2023-05-06 11:36:48)

---

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

(A works at time B)  && (time C > time B ) ≠  (A works at time C)

dreieck

Member

Registered: 2012-10-08

Posts: 28

Re: PKGBUILD: Is source download in build() into $HOME/... OK?

Or do you mean that there is code inside PKGBUILDS that explicitly stores stuff under $HOME ?

Yes, this is what I mean. cargo, go and npm all download stuff on their own and if not instructed specifically (they do not know about `$SRCDEST`, tool-specific options/ environment variables must be used), they download their stuff into some directory under `$HOME`, outside `$srcdir`.

Last edited by dreieck (2023-05-06 13:49:49)

Trilby

Inspector Parrot

Registered: 2011-11-29

Posts: 28,372

Website

Re: PKGBUILD: Is source download in build() into $HOME/... OK?

I've seen this several times when I attempted to build an AUR package to help someone on these forums and running makepkg resulted in the PKGBUILD littering garbage all over my home directory.  That is absolutely unacceptable.

I have hoped that this was a result of just incompetent use of the cargo / go / whatever by those specific PKGBUILD authors and not a limitation of those tools themselves.  But in any case, yes, build() and package() should be able to run with no network access (anything requiring network access should be either pushed into the source array, or if necessary handled in the prepare() function); and a PKGBUILD should absolutely not save anything outside of srcdir or pkgdir.

If the current packaging guidlines for cargo/go/whatever violate these requirements, they should be fixed.  If you know how to fix them to acheive these goals, please do so.

Last edited by Trilby (2023-05-06 12:40:59)

---

"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

lunaryorn

Member

Registered: 2021-03-27

Posts: 103

Re: PKGBUILD: Is source download in build() into $HOME/... OK?

Is that an official stance, Trilby?  Can't say anything about Go or NPM, but I just checked a few Rust packages in community, and I found none which overrides "CARGO_HOME", and only a single one which runs "cargo fetch" in prepare().  Does anyone even care?  I thought the general expectation was to build in chroot anyway?

I've also not found any documentation about "build()" and "package()" being expected to run without network access.  It's neither documented in PKGBUILD(5) nor in the Arch package guidelines as far as I can see.