Talk:Arch packaging standards

From ArchWiki
Revision as of 17:29, 9 May 2014 by Flacs (talk | contribs) (sha256sum typo)
Jump to: navigation, search

Suggestions

Shouldn't we suggest using SHA1 hash and not the already broken one (MD5)? --Tomato 15:47, 25 August 2010 (EDT)

My packages contain both md5sums and sha256sums arrays. I do so on the theory that some clients may not have the sha256sum utility installed, and those clients can fall back to the md5sum utility. Clarification would be appreciated. Ichimonji10 (talk) 14:32, 19 October 2013 (UTC)
All of the shaXsum programs are provided by coreutils, which is part of the base group. If a user doesn't have coreutils installed, they will have a very broken system.
In short, you don't need to provide more than one checksum array, and to be more secure, you should use one of the SHA-1 or SHA-2 checksums.
-- Jstjohn (talk) 05:38, 10 December 2013 (UTC)
That makes loads of sense, and I'll update my packages accordingly. Thank you. Uh... could you (or some other wiki maintainer) update this article to reference, say, sha256sum instead of md5sum?
Ichimonji10 (talk) 15:29, 10 December 2013 (UTC)
This page is locked for editing, which means that only the ArchWiki Administrators can edit this.
-- Jstjohn (talk) 23:17, 17 January 2014 (UTC)
I'm not an official developer, but I agree that using sha256sum should be recommended, so I've updated the article. -- Kynikos (talk) 04:39, 20 April 2014 (UTC)
"sha256sum" should be "sha256sums", can someone correct this? Flacs (talk) 17:29, 9 May 2014 (UTC)

Small addition

Arch_Packaging_Standards#Package_etiquette (small addition)

Any optional dependencies that are not needed to run the package or have it generally function should not be included in the depends array; instead the information should be added to the optdepends array: David C. Rankin (talk) 22:45, 17 January 2014 (UTC)

Fixed, thanks for reporting. -- Kynikos (talk) 04:51, 20 April 2014 (UTC)

Bundled libraries

I've recently found that packages that used bundles libraries tend to segfault. Should we suggest the removal of bundled libraries and instead use system libraries? --Gadget3000 (talk) 02:13, 6 August 2011 (UTC)

Old, if some packages are buggy, please use the bug tracker, closed. -- Kynikos (talk) 10:59, 20 April 2014 (UTC)

Addition of system users

Some packages require the addition of system users. For them to be ignored by things such as lightdm, tthey have to be in the sub-1000 UID space. Looking at packages in ABS, these users are simply added with an useradd -u .... However, there is no guideline or authoritative list that I can find which lists which UID is used for what, which is free, or how to register a UID for a specific system user. It would be nice to see a section about it here. --OlivierMehani 19:31, 13 October 2011 (EDT)

See DeveloperWiki:UID_/_GID_Database.
I thinks it's a bit too specific to be listed here. --Snowman 20:45, 13 October 2011 (EDT)
Yes, DeveloperWiki:UID_/_GID_Database (also linked from Users and groups) is the correct answer, closing. -- Kynikos (talk) 11:03, 20 April 2014 (UTC)

Web application package guidelines

How about adding Web_application_package_guidelines to the list? --Trontonic 11:18, 29 February 2012 (EST)

It is now linked from the template at the bottom. -- Kynikos (talk) 04:52, 20 April 2014 (UTC)

.install files

Something more should be said about .install files. Mention that there are also examples in /usr/share/pacman but it also needs some explanation on how they work. --Mauro2 (talk) 05:30, 15 October 2012 (UTC)

$srcdir

Please remove the cd "$srcdir..." no-op from the examples on the page. See: https://bugs.archlinux.org/task/34314 --Graysky (talk) 20:55, 14 March 2013 (UTC)

Fixed by [1]. -- Kynikos (talk) 04:47, 20 April 2014 (UTC)

Fields order

Arch_Packaging_Standards#Package_etiquette states: "It is common practice to preserve the order of the PKGBUILD fields as shown above." But this is not true. Common practice is to use /usr/share/pacman/PKGBUILD.proto as a template, and the order of fields in that prototype has a far greater influence on packages in the wild than this page. This page should edited to reflect the current state of PKGBUILD.proto. Perhaps this page should state: "It is common practice to order PKGBUILD fields so they match the order of fields in PKGBUILD.proto. Ichimonji10 (talk) 14:32, 19 October 2013 (UTC)

/usr/sbin -> /usr/bin merge

The Directories section needs to be updated to reflect the recent /bin, /sbin, /usr/sbin -> /usr/bin merge:

  • The /usr/sbin line should be removed and the description of the /usr/bin line should be changed to all binaries or something similar.
  • /bin and /sbin should be added to the "Package should not contain following directories" list.

-- Kyrias (talk) 15:00, 6 June 2013 (UTC)

The first point was fixed months ago in [2], so I crossed that off the list.
The second point still needs to be fixed.
-- Jstjohn (talk) 05:33, 10 December 2013 (UTC)
Second point fixed, thanks for reporting. -- Kynikos (talk) 04:57, 20 April 2014 (UTC)

Punctuation in PKGBUILD

What is the official guidance regarding ending a pkgdesc in a period or using commas and English prose punctuation in general?

[Link] to discussion thread.

Graysky (talk) 15:17, 14 June 2013 (UTC)

There should be a clearly visible link to "Creating packages" page

Please, move the block located in the bottom of this page to its top. Andrew Grigorev (talk) 19:21, 17 July 2013 (UTC)

Package naming

  • Package names should consist of alphanumeric characters only; all letters should be lowercase.

This is a guideline, but I see some packages with hypens and underscores (tesseract-data-chi_sim), dots (gstreamer0.10), plus (libxml++) and even at-signs (kde-l10n-ca@valencia). A package with uppercase name is libreoffice-bn-IN. According to the makepkg source, the allowed chars are: [:alnum:]+_.@-. Lekensteyn (talk) 22:38, 1 February 2014 (UTC)

  • Package names should NOT be suffixed with the upstream major release version number (e.g. we don't want libfoo2 if upstream calls it libfoo v2.3.4) in case the library and its dependencies are expected to be able to keep using the most recent library version with each respective upstream release. However, for some software or dependencies, this can not be assumed. In the past this has been especially true for widget toolkits such as GTK and Qt. Software that depends on such toolkits can usually not be trivially ported to a new major version. As such, in cases where software can not trivially keep rolling alongside its dependencies, package names should carry the major version suffix (e.g. gtk2, gtk3, qt4, qt5). For cases where most dependencies can keep rolling along the newest release but some can't (for instance closed source that needs libpng12 or similar), a deprecated version of that package might be called libfoo1 while the current version is just libfoo.
  • Package versions should be the same as the version released by the author. Versions can include letters if need be (eg, nmap's version is 2.54BETA32). Version tags may not include hyphens! Letters, numbers, and periods only.

This rule needs to get more stricter. Having a slash in the version breaks filenames. For craziness, I tried setting up a pkgver containing all characters from 0x01 to 0xff which makes makepkg throw a Bash syntax error. The current packages have versions matching {{ic}[[alnum:]._+~]+} (and a colon for epoch, a hypen for pkgrel). What about limiting to those characters? Debian has a similar set, see their policy docs Lekensteyn (talk) 22:38, 1 February 2014 (UTC)

  • Package releases are specific to Arch Linux packages. These allow users to differentiate between newer and older package builds. When a new package version is first released, the release count starts at 1. Then as fixes and optimizations are made, the package will be re-released to the Arch Linux public and the release number will increment. When a new version comes out, the release count resets to 1. Package release tags follow the same naming restrictions as version tags.

Is it acceptable for build() to start by removing directories?

I just downloaded a PKGBUILD whose build() function begins with the following:

find ./ -maxdepth 1 -mindepth 1 -type d  -exec rm -r {} \;

It seems to me that a PKGBUILD has no business doing this and that it is potentially dangerous. I admit that its danger will typically require people to do non-standard things and, arguably, things they would be better advised not to do anyway. But it still seems to me to invite trouble.

I don't remember seeing this in a PKGBUILD before but I can't find anything definitely ruling it out.

Is it acceptable for a build function to start by removing directories in this way? Is it safe?

--cfr (talk) 03:03, 27 February 2014 (UTC)

I'd argue that this is an acceptable thing to do, at least in some cases. As an example, consider Talend Open Studio DI: a single source file provides files for Windows, Linux, Mac OS, PowerPC (?) and Solaris. In response, the talend-open-studio-diAUR PKGBUILD simply removes them. Does removing those files invite trouble? Yes. But removing files seems like an integral tool in the package maintainer's toolkit, and plenty of other weird stuff happens in PKGBUILDs too. Ichimonji10 (talk) 02:20, 3 March 2014 (UTC)

Package naming

There are two "package naming" sections, the first one being empty.

I'd fix it, but the page is protected.

Xandaros (talk) 20:45, 3 March 2014 (UTC)

Fixed, thanks for the report. -- Kynikos (talk) 04:48, 20 April 2014 (UTC)

Missing quotes in the example PKGBUILD

cd $pkgname-$pkgver should be cd "$pkgname-$pkgver" in the two functions.

Unquoted paths tend to wreak havoc, though of course with `cd` it just fails safely if there are spaces in the path.

Calimero (talk) 08:05, 19 April 2014 (UTC) Calimero

Fixed, thanks for the report. -- Kynikos (talk) 05:02, 20 April 2014 (UTC)