Package Maintainer guidelines: Difference between revisions

From ArchWiki
VisualWikitext
(update old mailman URLs from (lists|mailman).archlinux.org/listinfo/ to lists.archlinux.org/mailman3/lists/)
 
(24 intermediate revisions by 10 users not shown)
Line 1: Line 1:
[[Category:Package development]]
[[Category:Package development]]
[[Category:OpenPGP]]
[[ja:AUR Trusted User ガイドライン]]
[[ja:AUR Trusted User ガイドライン]]
[[pt:AUR Trusted User guidelines]]
[[pt:Package Maintainer guidelines]]
[[zh-hans:AUR Trusted User Guidelines]]
[[zh-hans:Package Maintainer guidelines]]
{{Related articles start}}
{{Related articles start}}
{{Related|Arch User Repository}}
{{Related|Arch User Repository}}
{{Related|DeveloperWiki#Packaging Guidelines}}
{{Related|DeveloperWiki:How to be a packager}}
{{Related|DeveloperWiki:Building in a clean chroot}}
{{Related|GnuPG}}
{{Related|OpenPGP}}
{{Related articles end}}
{{Related articles end}}
'''Trusted Users (TU)''' are members of the community charged with keeping the AUR in working order. They maintain popular packages ([https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/message/SI2IZPY4YVB3ACEVJWFR3NCOZSM4HSEV/ communicating with and sending patches upstream as needed]), and vote in administrative matters. A TU is elected from active community members by current TUs in a democratic process. TUs are the only members who have a final say in the direction of the AUR.


The TUs are governed using the [https://tu-bylaws.aur.archlinux.org TU bylaws]
[[Package Maintainers]] are Arch Linux staff members charged with keeping the AUR in working order. They maintain popular packages ([https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/message/SI2IZPY4YVB3ACEVJWFR3NCOZSM4HSEV/ communicating with and sending patches upstream as needed]), and vote in administrative matters. A Package Maintainer is elected from active community members by current Package Maintainers in a democratic process. Package Maintainers are the only members who have a final say in the direction of the AUR.


== TODO list for new Trusted Users ==
The Package Maintainers are governed using the [https://package-maintainer-bylaws.aur.archlinux.org/ Package Maintainer bylaws]
 
== TODO list for new Package Maintainers ==


# Read this entire wiki article.
# Read this entire wiki article.
# Read the [https://tu-bylaws.aur.archlinux.org TU Bylaws].
# Read the [https://package-maintainer-bylaws.aur.archlinux.org/ Package Maintainer Bylaws].
# Make sure your account details on the [[AUR]] are up-to-date.
# Make sure your account details on the [[AUR]] are up-to-date.
# Ask one of your sponsors to give you TU status on the AUR.
# Ask one of your sponsors to give you the Package Maintainer status on the AUR.
# Add yourself to the [[Trusted Users]] page.
# Remind a [[ArchWiki:Access levels and roles#Access levels|bureaucrat]] to add your wiki account to the {{int:group-archpackager}} group.
# Remind a [[ArchWiki:Access levels and roles#Access levels|bureaucrat]] to add your wiki account to the {{int:group-archtu}} group.
# Remind a [https://bbs.archlinux.org/userlist.php?username=&show_group=1&sort_by=username&sort_dir=ASC&search=Submit BBS admin] to change your account on forums.
# Remind a [https://bbs.archlinux.org/userlist.php?username=&show_group=1&sort_by=username&sort_dir=ASC&search=Submit BBS admin] to change your account on forums.
# Ask one of your sponsors for the [ircs://irc.libera.chat/archlinux-staff #archlinux-staff] and [ircs://irc.libera.chat/archlinux-tu #archlinux-tu] keys and join us in the channels (this is not mandatory, but a great way of getting to know parts of the team and collaborate).
# Ask one of your sponsors for the [ircs://irc.libera.chat/archlinux-staff #archlinux-staff] and [ircs://irc.libera.chat/archlinux-packaging #archlinux-packaging] keys and join us in the channels (this is not mandatory, but a great way of getting to know parts of the team and collaborate).
#* If you need a bouncer, ask heftig for a [[Matrix]] invite.  
#* If you need a bouncer, ask heftig for a [[Matrix]] invite.  
#* If you want an {{ic|@archlinux/trusteduser/''username''}} cloak, ask our [[Arch IRC channels#Libera Chat group contacts|group contacts]] to get you one.
#* If you want an {{ic|@archlinux/package-maintainer/''username''}} cloak, ask our [[Arch IRC channels#Libera Chat group contacts|group contacts]] to get you one.
# Ask one of your sponsors to create a ticket in [https://gitlab.archlinux.org/archlinux/infrastructure/-/issues the infrastructure repository issue tracker] (using the {{ic|Onboarding}} template) and provide them with the following information:
# Ask one of your sponsors to create a ticket in [https://gitlab.archlinux.org/archlinux/infrastructure/-/issues the infrastructure repository issue tracker] (using the {{ic|Onboarding}} template) and provide them with the following information:
#* An SSH public key. If you do not have one, follow [[SSH keys#Generating an SSH key pair]] to create one.
#* An SSH public key. If you do not have one, follow [[SSH keys#Generating an SSH key pair]] to create one.
Line 30: Line 34:
#* Whether your private or your (to be created) {{ic|''username''@archlinux.org}} email address should be used for the non-public mailing lists and be allowed to post to the [https://lists.archlinux.org/mailman3/lists/arch-dev-public.lists.archlinux.org/ arch-dev-public] mailing list.
#* Whether your private or your (to be created) {{ic|''username''@archlinux.org}} email address should be used for the non-public mailing lists and be allowed to post to the [https://lists.archlinux.org/mailman3/lists/arch-dev-public.lists.archlinux.org/ arch-dev-public] mailing list.
# Set the password for your {{ic|@archlinux.org}} e-mail address by following [[DeveloperWiki:Staff Services#Email]].
# Set the password for your {{ic|@archlinux.org}} e-mail address by following [[DeveloperWiki:Staff Services#Email]].
# Create a PGP key pair for [[package signing]] by following the [https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-packager-key workflow for adding a new packager key] (using your new {{ic|<username>@archlinux.org}} address as uid).
# Create a PGP key pair for [[package signing]] by following the [https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-packager-key workflow for adding a new packager key] (using your new {{ic|''username''@archlinux.org}} address as uid).
# Ask one of your sponsors to create a ticket in the [https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues archlinux-keyring repository issue tracker] (using the {{ic|New Packager Key}} template) in order to have your PGP key signed by (at least) three main key holders.
# Ask one of your sponsors to create a ticket in the [https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues archlinux-keyring repository issue tracker] (using the {{ic|New Packager Key}} template) in order to have your PGP key signed by (at least) three main key holders.
# Install the {{pkg|devtools}} package.
# Install the {{pkg|devtools}} package.
# [[AUR submission guidelines#Authentication|Configure your private ssh key]] for {{ic|repos.archlinux.org}}.
# [[AUR submission guidelines#Authentication|Configure your private ssh key]] for {{ic|repos.archlinux.org}}.
# Ssh to yourname@repos.archlinux.org (once you have permissions).
# Ssh to {{ic|''yourname''@repos.archlinux.org}} (once you have permissions).
# Start contributing!
# Start contributing!


== The TU and the AUR ==
== The Package Maintainer and the AUR ==


The TUs should also make an effort to check package submissions in the [[AUR]] for malicious code and good PKGBUILDing standards.  In around 80% of cases the PKGBUILDs in the UNSUPPORTED are very simple and can be quickly checked for sanity and malicious code by the TU team.
The Package Maintainers should also make an effort to check package submissions in the [[AUR]] for malicious code and good PKGBUILDing standards.  In around 80% of cases the PKGBUILDs in the AUR are very simple and can be quickly checked for sanity and malicious code by the Package Maintainer team.


TUs should also check PKGBUILDs for minor mistakes, suggest corrections and improvements.  The TU should endeavor to confirm that all packages follow the Arch Packaging Guidelines/Standards and in doing so share their skills with other package builders in an effort to raise the standard of package building across the distribution.
Package Maintainers should also check PKGBUILDs for minor mistakes, suggest corrections and improvements.  The Package Maintainer should endeavor to confirm that all packages follow the Arch Packaging Guidelines/Standards and in doing so share their skills with other package builders in an effort to raise the standard of package building across the distribution.


TUs are also in an excellent position to document recommended practices.
Package Maintainers are also in an excellent position to document recommended practices.


=== Rewriting git history ===
=== Rewriting git history ===


In some cases rewriting the history of an AUR repository is required, for example when a user inadvertently uses their real name in a published commit. This can be automated with {{man|1|git-filter-branch}}.  
In some cases rewriting the history of an AUR repository is required, for example when a user inadvertently uses their legal name in a published commit. This can be automated with {{man|1|git-filter-branch}}.  


To force push the new history, forward the {{ic|1=AUR_OVERWRITE=1}} environment variable to {{man|1|git-push}}. See [https://gitlab.archlinux.org/archlinux/aurweb/-/commit/c5302d3a33028f483cc2e01225226d4ae047dd4a] for details.
To force push the new history, forward the {{ic|1=AUR_OVERWRITE=1}} environment variable to {{man|1|git-push}}.
 
In detail this includes adding {{ic|SendEnv AUR_OVERWRITE}} to your AUR SSH config and setting the env var on your push command: {{ic|AUR_OVERWRITE{{=}}1 git push --force}}.
See [https://gitlab.archlinux.org/archlinux/aurweb/-/commit/c5302d3a33028f483cc2e01225226d4ae047dd4a] for details.


{{Warning|It is recommended to create a backup of the repository before rewriting history.}}
{{Warning|It is recommended to create a backup of the repository before rewriting history.}}
Line 58: Line 65:


  $ git-filter-repo --name-callback 'return name.replace(b"''Old name''", b"''New name''")' --email-callback 'return email.replace(b"''old@email.com''", b"''new@email.com''")'
  $ git-filter-repo --name-callback 'return name.replace(b"''Old name''", b"''New name''")' --email-callback 'return email.replace(b"''old@email.com''", b"''new@email.com''")'
{{Tip|If the username contains special characters you may need to encode the strings {{ic|name.replace("Bás Ssze".encode("utf-8"), b"newname")'}}}}


Alternatively, use {{ic|git filter-branch --env-filter}} with the {{ic|GIT_AUTHOR_NAME}}, {{ic|GIT_AUTHOR_EMAIL}}, {{ic|GIT_COMMITTER_NAME}} and {{ic|GIT_COMMITTER_EMAIL}} [[environment variables]]. For example:
Alternatively, use {{ic|git filter-branch --env-filter}} with the {{ic|GIT_AUTHOR_NAME}}, {{ic|GIT_AUTHOR_EMAIL}}, {{ic|GIT_COMMITTER_NAME}} and {{ic|GIT_COMMITTER_EMAIL}} [[environment variables]]. For example:
Line 77: Line 86:
{{Expansion|This list is incomplete for now and should be expanded.}}
{{Expansion|This list is incomplete for now and should be expanded.}}


TUs should periodically check the [https://aur.archlinux.org/requests requests] filed on the AUR. For that there are some generic rules what to check for each request type:
Package Maintainers should periodically check the [https://aur.archlinux.org/requests requests] filed on the AUR. For that there are some generic rules what to check for each request type:


; Orphan request
; Orphan request
Line 83: Line 92:
* check if the request is older then 14 days (the date column turns red in the overview) (you cannot accept it before that anyway)
* check if the request is older then 14 days (the date column turns red in the overview) (you cannot accept it before that anyway)
* check if there was no update to the package itself (commit or release) done in the past 14 days
* check if there was no update to the package itself (commit or release) done in the past 14 days
* check if there was no comment from the package maintainer done in the past 14 days
* check if there was no comment from the AUR package maintainer done in the past 14 days


If all of the above points are true then you can accept the Orphan Request.
If all of the above points are true then you can accept the Orphan Request.


== The TU and [community], guidelines for package maintenance ==
== The Package Maintainer and extra, guidelines for package maintenance ==


=== Rules for packages entering the [community] repository ===
=== Rules for packages entering the extra repository ===


* A package must not already exist in any of the Arch Linux repositories. You should take necessary precautions to ensure no other packager is in the process of promoting the same package. Double-check the AUR package comments, read the latest subject headings in [https://lists.archlinux.org/mailman3/lists/aur-general.lists.archlinux.org/ aur-general], search [https://bugs.archlinux.org/index.php?project=0&do=index&switch=1 all projects in the bugtracker], [[wikipedia:Grep|grep]] the [https://svnbook.red-bean.com/en/1.7/svn.ref.svn.c.log.html Subversion log], and send a quick message to the private TU [[IRC channel]].
* A package must not already exist in any of the Arch Linux repositories. You should take necessary precautions to ensure no other packager is in the process of promoting the same package. Double-check the AUR package comments, read the latest subject headings in [https://lists.archlinux.org/mailman3/lists/aur-general.lists.archlinux.org/ aur-general], search [https://bugs.archlinux.org/index.php?project=0&do=index&switch=1 all projects in the bugtracker]{{Dead link|2024|01|13|status=404}}, [[wikipedia:Grep|grep]] the {{man|1|git-log}}, and send a quick message to the private packaging [[IRC channel]].
* [[AUR helpers#Pacman wrappers|Pacman wrappers]], as a special exception, will never be permitted. If wanting to otherwise add an [[AUR helper]], write an email to {{ic|arch-dev-public}} with the proposed addition, and respect any objections provided by team members.
* [[AUR helpers#Pacman wrappers|Pacman wrappers]], as a special exception, will never be permitted. If wanting to otherwise add an [[AUR helper]], write an email to {{ic|arch-dev-public}} with the proposed addition, and respect any objections provided by team members.
* Only "popular" packages may enter the repo, as defined by 1% usage from [https://pkgstats.archlinux.de/packages pkgstats] or 10 votes on the AUR.
{{Accuracy|The following rule is arbitrary and not enforced in practice. The next two points need to be adjusted as well.}}
* Only "popular" packages may enter the repository, as defined by 1% usage from [https://pkgstats.archlinux.de/packages pkgstats] or 10 votes on the AUR.
* Automatic exceptions to this rule are:
* Automatic exceptions to this rule are:
** i18n packages
** i18n packages
Line 100: Line 110:
** dependencies of packages who satisfy the definition of popular, including makedeps and optdeps
** dependencies of packages who satisfy the definition of popular, including makedeps and optdeps
** packages that are part of a collection and are intended to be distributed together, provided a part of this collection satisfies the definition of popular
** packages that are part of a collection and are intended to be distributed together, provided a part of this collection satisfies the definition of popular
* Any additions not covered by the above criteria must first be proposed on the aur-general mailing list, explaining the reason for the exemption (e.g. renamed package, new package). The agreement of three other TUs is required for the package to be accepted into [community]. Proposed additions from TUs with large numbers of "non-popular" packages are more likely to be rejected.
* Any additions not covered by the above criteria must first be proposed on the aur-general mailing list, explaining the reason for the exemption (e.g. renamed package, new package). The agreement of three other Package Maintainers is required for the package to be accepted into ''extra''. Proposed additions from Package Maintainers with large numbers of "non-popular" packages are more likely to be rejected.
* TUs are strongly encouraged to move packages they currently maintain from [community] if they have low usage. No enforcement will be made, although resigning TUs packages may be filtered before adoption can occur.
* Package Maintainers are strongly encouraged to move packages they currently maintain from ''extra'' if they have low usage. No enforcement will be made, although resigning Package Maintainers packages may be filtered before adoption can occur.
* It is good practice to always bump the '''pkgrel''' by ''1'' (in other words, set it to ''n + 1'') when promoting a package from AUR. This is to facilitate automatic updates for those who already have the package installed, so that they may continue to receive updates from the official channel. Another positive effect of this is that users are not warned that their local copy is newer, as is the case if a packager does reset the '''pkgrel''' to ''1''.
* It is good practice to always bump the '''pkgrel''' by ''1'' (in other words, set it to ''n + 1'') when promoting a package from AUR. This is to facilitate automatic updates for those who already have the package installed, so that they may continue to receive updates from the official channel. Another positive effect of this is that users are not warned that their local copy is newer, as is the case if a packager does reset the '''pkgrel''' to ''1''.


=== Accessing and updating the repository ===
=== Accessing and updating the repository ===


{{Merge|DeveloperWiki:HOWTO Be A Packager|Duplicate with some minor differences}}
See the [[DeveloperWiki:HOWTO Be A Packager|packager guide]].  
 
The [community] repository now uses '''devtools''' which is the same system used for uploading packages to [core] and [extra] to {{ic|repos.archlinux.org}}. Thus most of the instructions in [[DeveloperWiki:HOWTO Be A Packager|Packager Guide]] work without any change. Information which is specific for the [community] repository (like changed URLs) have been put here. The devtools require packagers to [[makepkg#Packager information|set the PACKAGER variable]] in {{ic|makepkg.conf}}.
 
Initially you should do a '''non-recursive checkout''' of the [community] repository:
 
<nowiki>$ svn checkout -N svn+ssh://svn-community@repos.archlinux.org/srv/repos/svn-community/svn svn-community</nowiki>
 
This creates a directory named "svn-community" which contains nothing but a ".svn" folder.
 
For '''checking''' out, '''updating''' all packages or '''adding''' a package see the [[DeveloperWiki:HOWTO Be A Packager|Packager Guide]].
 
To '''remove''' a package:
 
$ ssh repos.archlinux.org /community/db-repo-remove community arch pkgname
 
This needs to be done separately for all components of a split package. Here and in the following text, ''arch'' should be ''x86_64'' which is the only architecture supported by Arch Linux since [https://archlinux.org/news/the-end-of-i686-support/ i686 support has been deprecated].
 
{{Note|If you are editing packages of the ''any'' architecture you can simply run the x86_64 scripts which will also work.}}
 
When you are done with editing the PKGBUILD, etc., you should '''commit''' the changes ({{ic|svn commit}}).
 
Build the package with the helper script {{ic|extra-x86_64-build}}. If you want to upload to testing you need to build with the testing script {{ic|testing-x86_64-build}} instead.
 
Sign the package with {{ic|gpg --detach-sign *.pkg.tar.xz}}. If you are using a different PGP key for package signing you can add it to {{ic|~/.makepkg.conf}} with {{ic|1=GPGKEY=''identifier''}}.
 
When you want to '''release''' a package, first copy the package along with its signatures  to the ''staging/community'' directory on ''repos.archlinux.org'' using {{ic|scp}} and then '''tag''' the package by going to the ''pkgname/trunk'' directory and issuing {{ic|archrelease community-arch}}. This makes an svn copy of the trunk entries in a directory named ''community-x86_64'' indicating that this package is in the community repository for that architecture. Note that the staging directory is different from the staging repository and every package needs to be uploaded to the staging directory. This process can be automated with the {{ic|communitypkg}} script, see the summary below.
 
'''Package update summary:'''
 
* '''Update''' the package directory: {{ic|svn update some-package}}.
* '''Change''' to the package trunk directory: {{ic|cd some-package/trunk}}.
* '''Edit''' the PKGBUILD, make necessary changes, update hashes with {{ic|updpkgsums}}.
* '''Build''' the package: {{ic|makechrootpkg}} or {{ic|extra-x86_64-build}}. It is '''mandatory''' to build in a [[DeveloperWiki:Building in a clean chroot|clean chroot]].
* '''[[Namcap]]''' the PKGBUILD and the binary {{ic|pkg.tar.gz}}.
* '''Commit''', '''Sign''', '''Copy''' and '''Tag''' the package using {{ic|communitypkg "commit message"}}. This automates the following:
** '''Commit''' the changes to trunk: {{ic|svn commit}}.
** '''Sign''' the package: {{ic|gpg --detach-sign *.pkg.tar.xz}}.
** '''Copy''' the package and its signature to ''repos.archlinux.org'': {{ic|scp *.pkg.tar.xz *.pkg.tar.xz.sig repos.archlinux.org:staging/community/}}.
** '''Tag''' the package: {{ic|archrelease community-x86_64}}.
* '''Update''' the repository: {{ic|ssh repos.archlinux.org /community/db-update}}.
 
Also see the ''Miscellaneous'' section in the [[DeveloperWiki:HOWTO Be A Packager|Packager Guide]] and [[SSH keys#ssh-agent]].


=== Disowning packages ===
=== Disowning packages ===


If a TU cannot or does not want to maintain a package any longer, a notice should be posted to the AUR Mailing List, so another TU can
If a Package Maintainer cannot or does not want to maintain a package any longer, a notice should be posted to the AUR Mailing List, so another package maintainer can
maintain it. A package can still be disowned even if no other TU wants to maintain it, but the TUs should try not to drop many packages (they should not take on more than they have time for). If a package has become obsolete or is not used any longer, it can be removed completely as well.
maintain it. A package can still be disowned even if no other Package Maintainer wants to maintain it, but the Package Maintainers should try not to drop many packages (they should not take on more than they have time for). If a package has become obsolete or is not used any longer, it can be removed completely as well.
 
If a package has been removed completely, it can be uploaded once again (fresh) to UNSUPPORTED, where a regular user can maintain the package instead of the TU.
 
=== Moving packages from unsupported to [community] ===


Follow the normal procedures for adding a package to community, but remember to delete the corresponding package from unsupported!
If a package has been removed completely, it can be uploaded once again (fresh) to the AUR, where a regular user can maintain the package instead of the Package Maintainer.


=== Moving packages from [community] to unsupported ===
=== Moving packages from the AUR to extra ===


Remove the package using the instructions above and upload your source to the AUR.
Follow the normal procedures for adding a package to ''extra'' using the instructions in the [[DeveloperWiki:HOWTO Be A Packager#Adding a new package|Packager guide]], but remember to delete the corresponding package from the AUR!


=== Moving packages from [community-testing] to [community] ===
=== Moving packages from extra to the AUR ===


$ ssh repos.archlinux.org /community/db-move community-testing community ''package''
Remove the package using the instructions in the [[DeveloperWiki:HOWTO Be A Packager#Removing a package|Packager Guide]] and upload your source to the AUR.


=== Deleting packages from unsupported ===
=== Moving packages from extra-testing to extra ===


There is no point in removing dummy packages, because they will be re-created in an attempt to track dependencies. If someone uploads a
Move the package from the ''extra-testing'' to the ''extra'' repository using the instructions in the [[DeveloperWiki:HOWTO Be A Packager#Moving a package between repositories|packager guide]].
real package then all dependents will point to the correct place.


=== Remote build on build.archlinux.org ===
=== Remote build on build.archlinux.org ===
Line 178: Line 141:
{{Warning|The following procedures defeats the Web Of Trust model: a user with root access to PKGBUILD.com could alter the package and/or the signature before it gets published.}}
{{Warning|The following procedures defeats the Web Of Trust model: a user with root access to PKGBUILD.com could alter the package and/or the signature before it gets published.}}


Trusted users and developers can connect to build.archlinux.org via SSH to, among others, build packages using the devtools.
Package Maintainers and Developers can connect to build.archlinux.org via SSH to, among others, build packages using the devtools.
This has numerous advantages over a local setup:
This has numerous advantages over a local setup:


Line 194: Line 157:
Make sure gpg-agent is not running ({{ic|systemctl --user stop gpg-agent.service}}).  At this point, make sure that no sockets exist in the folder pointed by {{ic|gpgconf --list-dir socketdir}}.  If they do, remove them or log out and in again.
Make sure gpg-agent is not running ({{ic|systemctl --user stop gpg-agent.service}}).  At this point, make sure that no sockets exist in the folder pointed by {{ic|gpgconf --list-dir socketdir}}.  If they do, remove them or log out and in again.
If you have a custom $GNUPGHOME (eg. to move it to {{ic|~/.config/gnupg}}), you will need to unset that, as it is not possible in gnupg to set the homedir without setting the socketdir.
If you have a custom $GNUPGHOME (eg. to move it to {{ic|~/.config/gnupg}}), you will need to unset that, as it is not possible in gnupg to set the homedir without setting the socketdir.
On build.archlinux.org, ''StreamLocalBindUnlink yes'' is set in ''sshd_config'', therefore removing the sockets manually on logout is not necessary.
On build.archlinux.org, {{ic|StreamLocalBindUnlink yes}} is set in {{ic|sshd_config}}, therefore removing the sockets manually on logout is not necessary.


While the PGP private keys remain on your local machine, the public keys '''must''' be on the build server.  Export your public ring to the build server, e.g. from you local machine
While the PGP private keys remain on your local machine, the public keys '''must''' be on the build server.  Export your public ring to the build server, e.g. from you local machine
Line 200: Line 163:
  $ scp ~/.gnupg/pubring.gpg build.archlinux.org:~/.gnupg/pubring.gpg
  $ scp ~/.gnupg/pubring.gpg build.archlinux.org:~/.gnupg/pubring.gpg


SSH is required to checkout and commit to the SVN repository.  You can either set up a new SSH key pair on the server (it is highly discouraged to put your local private key on a server for security reasons) or reuse your local keys via socket forwarding.  If you opt for the latter, make sure to disable ssh-agent on the build server if you had enabled it previously (it is not running by default).
SSH is required to checkout and commit to the Git repository.  You can either set up a new SSH key pair on the server (it is highly discouraged to put your local private key on a server for security reasons) or reuse your local keys via socket forwarding.  If you opt for the latter, make sure to disable ssh-agent on the build server if you had enabled it previously (it is not running by default).


Configure you build environment on the build server:
Configure you build environment on the build server:
Line 241: Line 204:
Connect with:
Connect with:


  $ ssh -R $REMOTE_SSH_AUTH_SOCK:$SSH_AUTH_SOCK -R /run/user/$REMOTE_UID/gnupg/S.gpg-agent:/home/doe/.gnupg-archlinux/S.gpg-agent.extra build.archlinux.org
  $ ssh -R ''REMOTE_SSH_AUTH_SOCK'':$SSH_AUTH_SOCK -R /run/user/''REMOTE_UID''/gnupg/S.gpg-agent:/home/doe/.gnupg-archlinux/S.gpg-agent.extra build.archlinux.org


or, if using GnuPG as your SSH agent:
or, if using GnuPG as your SSH agent:


  $ ssh -R /run/user/$REMOTE_UID/gnupg/S.gpg-agent.ssh:/run/user/$LOCAL_UID/gnupg/S.gpg-agent.ssh -R /run/user/$REMOTE_UID/gnupg/S.gpg-agent:/home/doe/.gnupg-archlinux/S.gpg-agent.extra build.archlinux.org
  $ ssh -R /run/user/''REMOTE_UID''/gnupg/S.gpg-agent.ssh:/run/user/''LOCAL_UID''/gnupg/S.gpg-agent.ssh -R /run/user/''REMOTE_UID''/gnupg/S.gpg-agent:/home/doe/.gnupg-archlinux/S.gpg-agent.extra build.archlinux.org


Replace ''$REMOTE_UID'' and ''$LOCAL_UID'' by your user identifier as returned by {{ic|id -u}} on the build server and locally, respectively.
Replace {{ic|''REMOTE_UID''}} and {{ic|''LOCAL_UID''}} by your user identifier as returned by {{ic|id -u}} on the build server and locally, respectively.
If using ssh-agent, replace ''$REMOTE_SSH_AUTH_SOCK'' by the path to the SSH socket on the remote host (it can be anything).
If using ssh-agent, replace {{ic|''REMOTE_SSH_AUTH_SOCK''}} by the path to the SSH socket on the remote host (it can be anything).


You can make the forwarding permanent for that host.  For instance with gpg-agent.ssh:
You can make the forwarding permanent for that host.  For instance with gpg-agent.ssh:
Line 254: Line 217:
{{hc|~/.ssh/config|
{{hc|~/.ssh/config|
Host build.archlinux.org
Host build.archlinux.org
   RemoteForward /run/user/$REMOTE_UID/gnupg/S.gpg-agent /run/user/$LOCAL_UID/gnupg/S.gpg-agent.extra
   RemoteForward /run/user/''REMOTE_UID''/gnupg/S.gpg-agent /run/user/%i/gnupg/S.gpg-agent.extra
   RemoteForward /run/user/$REMOTE_UID/gnupg/S.gpg-agent.ssh /run/user/$LOCAL_UID/gnupg/S.gpg-agent.ssh
   RemoteForward /run/user/''REMOTE_UID''/gnupg/S.gpg-agent.ssh /run/user/%i/gnupg/S.gpg-agent.ssh
}}
}}


Again, replace ''$REMOTE_UID'' and ''$LOCAL_UID'' with their respective values.
Again, replace {{ic|''REMOTE_UID''}} with the user UID on the build server.


From then on, the procedure should be exactly the same as a local build:
From then on, the procedure should be exactly the same as a local build:


  $ ssh build.archlinux.org
  $ ssh build.archlinux.org
  $ svn checkout -N svn+ssh://svn-community@repos.archlinux.org/srv/repos/svn-community/svn svn-community
  $ pkgctl repo clone existing-package
  $ ...
  $ ...


{{Note|pinentry-curses might not work with socket forwarding.  If it fails for you, try using a different pinentry.}}
{{Note|pinentry-curses might not work with socket forwarding.  If it fails for you, try using a different pinentry.}}


== TODO list retiring a Trusted User ==
== TODO list retiring a Package Maintainer ==


When a TU resigns the following list has be followed, these steps do not apply when a TU resigns but is still a Developer.
When a Package Maintainer resigns the following list has be followed, these steps do not apply when a Package Maintainer resigns but is still a Developer.


# All packages packaged by the retiree should be resigned (so rebuild). Packages packaged by the retiree can be found in Archweb https://archlinux.org/packages/?sort=&q=&packager=$packager&flagged= where packager is the username on Archweb.
# All packages packaged by the retiree should be resigned (so rebuild). Packages packaged by the retiree can be found in Archweb https://archlinux.org/packages/?sort=&q=&packager=$packager&flagged= where packager is the username on Archweb.
# The account of the retiree should be disabled on Archweb and added to the 'Retired Trusted users' group. The retiree should be removed from the 'Trusted Users' and the repository permissions should be reduced to none.
# The account of the retiree should be disabled on Archweb and added to the 'Retired Package maintainers' group. The retiree should be removed from the 'Package Maintainers' and the repository permissions should be reduced to none.
# The shell access to our servers should be disabled. (notably repos.archlinux.org, pkgbuild.com)
# The shell access to our servers should be disabled. (notably repos.archlinux.org, pkgbuild.com)
# The GPG key should be removed and a new archlinux-keyring package should be pushed to the repos. Create bug reports in the keyring project to remove the keys of the retired Trusted Users.
# The GPG key should be removed and a new archlinux-keyring package should be pushed to the repos. Create bug reports in the keyring project to remove the keys of the retired Package Maintainers.
# Remove the TU group from their AUR account.
# Remove the Package Maintainer group from their AUR account.
# A [[ArchWiki:Access levels and roles#Access levels|bureaucrat]] should remove their wiki account from the {{int:group-archtu}} group.
# A [[ArchWiki:Access levels and roles#Access levels|bureaucrat]] should remove their wiki account from the {{int:group-archpackager}} group.
# A [https://bbs.archlinux.org/userlist.php?username=&show_group=1&sort_by=username&sort_dir=ASC&search=Submit BBS admin] should change their account on forums.
# A [https://bbs.archlinux.org/userlist.php?username=&show_group=1&sort_by=username&sort_dir=ASC&search=Submit BBS admin] should change their account on forums.

Latest revision as of 13:30, 6 February 2024

Related articles

Package Maintainers are Arch Linux staff members charged with keeping the AUR in working order. They maintain popular packages (communicating with and sending patches upstream as needed), and vote in administrative matters. A Package Maintainer is elected from active community members by current Package Maintainers in a democratic process. Package Maintainers are the only members who have a final say in the direction of the AUR.

The Package Maintainers are governed using the Package Maintainer bylaws

TODO list for new Package Maintainers

  1. Read this entire wiki article.
  2. Read the Package Maintainer Bylaws.
  3. Make sure your account details on the AUR are up-to-date.
  4. Ask one of your sponsors to give you the Package Maintainer status on the AUR.
  5. Remind a bureaucrat to add your wiki account to the Arch Linux Package Maintainers group.
  6. Remind a BBS admin to change your account on forums.
  7. Ask one of your sponsors for the #archlinux-staff and #archlinux-packaging keys and join us in the channels (this is not mandatory, but a great way of getting to know parts of the team and collaborate).
    • If you need a bouncer, ask heftig for a Matrix invite.
    • If you want an @archlinux/package-maintainer/username cloak, ask our group contacts to get you one.
  8. Ask one of your sponsors to create a ticket in the infrastructure repository issue tracker (using the Onboarding template) and provide them with the following information:
    • An SSH public key. If you do not have one, follow SSH keys#Generating an SSH key pair to create one.
    • A username which will be used for your SSO account and for your (to be created) @archlinux.org email address.
    • Your full name.
    • Your (personal) e-mail address and a valid PGP public key ID for it, which will be used to provide the initial password for the developer interface (archweb) to you and which will be linked to your (to be created) SSO account.
    • Whether your private or your (to be created) username@archlinux.org email address should be used for the non-public mailing lists and be allowed to post to the arch-dev-public mailing list.
  9. Set the password for your @archlinux.org e-mail address by following DeveloperWiki:Staff Services#Email.
  10. Create a PGP key pair for package signing by following the workflow for adding a new packager key (using your new username@archlinux.org address as uid).
  11. Ask one of your sponsors to create a ticket in the archlinux-keyring repository issue tracker (using the New Packager Key template) in order to have your PGP key signed by (at least) three main key holders.
  12. Install the devtools package.
  13. Configure your private ssh key for repos.archlinux.org.
  14. Ssh to yourname@repos.archlinux.org (once you have permissions).
  15. Start contributing!

The Package Maintainer and the AUR

The Package Maintainers should also make an effort to check package submissions in the AUR for malicious code and good PKGBUILDing standards. In around 80% of cases the PKGBUILDs in the AUR are very simple and can be quickly checked for sanity and malicious code by the Package Maintainer team.

Package Maintainers should also check PKGBUILDs for minor mistakes, suggest corrections and improvements. The Package Maintainer should endeavor to confirm that all packages follow the Arch Packaging Guidelines/Standards and in doing so share their skills with other package builders in an effort to raise the standard of package building across the distribution.

Package Maintainers are also in an excellent position to document recommended practices.

Rewriting git history

In some cases rewriting the history of an AUR repository is required, for example when a user inadvertently uses their legal name in a published commit. This can be automated with git-filter-branch(1).

To force push the new history, forward the AUR_OVERWRITE=1 environment variable to git-push(1).

In detail this includes adding SendEnv AUR_OVERWRITE to your AUR SSH config and setting the env var on your push command: AUR_OVERWRITE=1 git push --force. See [1] for details.

Warning: It is recommended to create a backup of the repository before rewriting history.
Modify committer or author identity

Install git-filter-repo and run: 

$ git-filter-repo --name-callback 'return name.replace(b"Old name", b"New name")' --email-callback 'return email.replace(b"old@email.com", b"new@email.com")'
Tip: If the username contains special characters you may need to encode the strings name.replace("Bás Ssze".encode("utf-8"), b"newname")'

Alternatively, use git filter-branch --env-filter with the GIT_AUTHOR_NAME, GIT_AUTHOR_EMAIL, GIT_COMMITTER_NAME and GIT_COMMITTER_EMAIL environment variables. For example: 

git filter-branch --env-filter '
if test "$GIT_AUTHOR_EMAIL" = "lepetit@prince.com"; then
  GIT_AUTHOR_EMAIL=user@users.noreply.github.com
fi
if test "$GIT_AUTHOR_NAME" = "Antoine de Saint-Exupéry"; then
  GIT_AUTHOR_NAME=user
fi'
Note: git-log(1) only displays the git author by default. Use git log --pretty=fuller to display the author and committer.

Handling AUR requests

This article or section needs expansion.

Reason: This list is incomplete for now and should be expanded. (Discuss in Talk:Package Maintainer guidelines)

Package Maintainers should periodically check the requests filed on the AUR. For that there are some generic rules what to check for each request type:

Orphan request
  • check if the request is older then 14 days (the date column turns red in the overview) (you cannot accept it before that anyway)
  • check if there was no update to the package itself (commit or release) done in the past 14 days
  • check if there was no comment from the AUR package maintainer done in the past 14 days

If all of the above points are true then you can accept the Orphan Request.

The Package Maintainer and extra, guidelines for package maintenance

Rules for packages entering the extra repository

  • A package must not already exist in any of the Arch Linux repositories. You should take necessary precautions to ensure no other packager is in the process of promoting the same package. Double-check the AUR package comments, read the latest subject headings in aur-general, search all projects in the bugtracker[dead link 2024-01-13 ⓘ], grep the git-log(1), and send a quick message to the private packaging IRC channel.
  • Pacman wrappers, as a special exception, will never be permitted. If wanting to otherwise add an AUR helper, write an email to arch-dev-public with the proposed addition, and respect any objections provided by team members.

The factual accuracy of this article or section is disputed.

Reason: The following rule is arbitrary and not enforced in practice. The next two points need to be adjusted as well. (Discuss in Talk:Package Maintainer guidelines)
  • Only "popular" packages may enter the repository, as defined by 1% usage from pkgstats or 10 votes on the AUR.
  • Automatic exceptions to this rule are:
    • i18n packages
    • accessibility packages
    • drivers
    • dependencies of packages who satisfy the definition of popular, including makedeps and optdeps
    • packages that are part of a collection and are intended to be distributed together, provided a part of this collection satisfies the definition of popular
  • Any additions not covered by the above criteria must first be proposed on the aur-general mailing list, explaining the reason for the exemption (e.g. renamed package, new package). The agreement of three other Package Maintainers is required for the package to be accepted into extra. Proposed additions from Package Maintainers with large numbers of "non-popular" packages are more likely to be rejected.
  • Package Maintainers are strongly encouraged to move packages they currently maintain from extra if they have low usage. No enforcement will be made, although resigning Package Maintainers packages may be filtered before adoption can occur.
  • It is good practice to always bump the pkgrel by 1 (in other words, set it to n + 1) when promoting a package from AUR. This is to facilitate automatic updates for those who already have the package installed, so that they may continue to receive updates from the official channel. Another positive effect of this is that users are not warned that their local copy is newer, as is the case if a packager does reset the pkgrel to 1.

Accessing and updating the repository

See the packager guide.

Disowning packages

If a Package Maintainer cannot or does not want to maintain a package any longer, a notice should be posted to the AUR Mailing List, so another package maintainer can maintain it. A package can still be disowned even if no other Package Maintainer wants to maintain it, but the Package Maintainers should try not to drop many packages (they should not take on more than they have time for). If a package has become obsolete or is not used any longer, it can be removed completely as well.

If a package has been removed completely, it can be uploaded once again (fresh) to the AUR, where a regular user can maintain the package instead of the Package Maintainer.

Moving packages from the AUR to extra

Follow the normal procedures for adding a package to extra using the instructions in the Packager guide, but remember to delete the corresponding package from the AUR!

Moving packages from extra to the AUR

Remove the package using the instructions in the Packager Guide and upload your source to the AUR.

Moving packages from extra-testing to extra

Move the package from the extra-testing to the extra repository using the instructions in the packager guide.

Remote build on build.archlinux.org

Warning: The following procedures defeats the Web Of Trust model: a user with root access to PKGBUILD.com could alter the package and/or the signature before it gets published.

Package Maintainers and Developers can connect to build.archlinux.org via SSH to, among others, build packages using the devtools. This has numerous advantages over a local setup:

  • Builds are fast and network speed is high.
  • The environment needs setup only once.
  • Your local system need not be Arch Linux.

The process is similar to that of a local setup with devtools. Your GnuPG private is required for signing but you do not want to upload it for obvious security reasons. As such, you will need to forward the GnuPG agent socket from your local machine to the server: this will allow you to sign packages on the build server without communicating your key. This also means that we need to disable the agent on the server before we can run anything.

First, connect to build.archlinux.org and disable 

$ ssh build.archlinux.org
$ systemctl --user mask gpg-agent.service

Make sure gpg-agent is not running (systemctl --user stop gpg-agent.service). At this point, make sure that no sockets exist in the folder pointed by gpgconf --list-dir socketdir. If they do, remove them or log out and in again. If you have a custom $GNUPGHOME (eg. to move it to ~/.config/gnupg), you will need to unset that, as it is not possible in gnupg to set the homedir without setting the socketdir. On build.archlinux.org, StreamLocalBindUnlink yes is set in sshd_config, therefore removing the sockets manually on logout is not necessary.

While the PGP private keys remain on your local machine, the public keys must be on the build server. Export your public ring to the build server, e.g. from you local machine 

$ scp ~/.gnupg/pubring.gpg build.archlinux.org:~/.gnupg/pubring.gpg

SSH is required to checkout and commit to the Git repository. You can either set up a new SSH key pair on the server (it is highly discouraged to put your local private key on a server for security reasons) or reuse your local keys via socket forwarding. If you opt for the latter, make sure to disable ssh-agent on the build server if you had enabled it previously (it is not running by default).

Configure you build environment on the build server: 

~/.makepkg.conf
PACKAGER="John Doe <john@doe.example>"
## Optional
PKGDEST="/home/johndoe/packages"
SRCDEST="/home/johndoe/sources"
SRCPKGDEST="/home/johndoe/srcpackages"
LOGDEST="/home/johndoe/logs"
## If your PGP key is not the default, specify the right fingerprint:
GPGKEY="ABCD1234..."
Warning: Forwarding your gpg-agent socket to a remote machine makes it possible for anyone with root access to that system to use your unlocked GPG credentials. To circumvent this issue, we need to disable passphrase caching.

Disable passphrase caching with the following settings: 

gpg-agent.conf
default-cache-ttl 0
max-cache-ttl 0

Because we will want to keep our usual GPG agent running with its current settings, we are going to run another GPG agent dedicated to the task at hand. Create a ~/.gnupg-archlinux folder and symlink everything from ~/.gnupg there, except ~/.gnupg/gpg-agent.conf. Configure the new GPG agent: 

~/.gnupg-archlinux
extra-socket /home/doe/.gnupg-archlinux/S.gpg-agent.extra
default-cache-ttl 0
max-cache-ttl 0
pinentry-program /usr/bin/pinentry-gtk-2

The gpg-agent-extra.socket will be forwarded to build.archlinux.org.

Start the dedicated agent with 

$ gpg-agent --homedir ~/.gnupg-archlinux --daemon

Connect with: 

$ ssh -R REMOTE_SSH_AUTH_SOCK:$SSH_AUTH_SOCK -R /run/user/REMOTE_UID/gnupg/S.gpg-agent:/home/doe/.gnupg-archlinux/S.gpg-agent.extra build.archlinux.org

or, if using GnuPG as your SSH agent: 

$ ssh -R /run/user/REMOTE_UID/gnupg/S.gpg-agent.ssh:/run/user/LOCAL_UID/gnupg/S.gpg-agent.ssh -R /run/user/REMOTE_UID/gnupg/S.gpg-agent:/home/doe/.gnupg-archlinux/S.gpg-agent.extra build.archlinux.org

Replace REMOTE_UID and LOCAL_UID by your user identifier as returned by id -u on the build server and locally, respectively. If using ssh-agent, replace REMOTE_SSH_AUTH_SOCK by the path to the SSH socket on the remote host (it can be anything).

You can make the forwarding permanent for that host. For instance with gpg-agent.ssh: 

~/.ssh/config
Host build.archlinux.org
  RemoteForward /run/user/REMOTE_UID/gnupg/S.gpg-agent /run/user/%i/gnupg/S.gpg-agent.extra
  RemoteForward /run/user/REMOTE_UID/gnupg/S.gpg-agent.ssh /run/user/%i/gnupg/S.gpg-agent.ssh

Again, replace REMOTE_UID with the user UID on the build server.

From then on, the procedure should be exactly the same as a local build: 

$ ssh build.archlinux.org
$ pkgctl repo clone existing-package
$ ...
Note: pinentry-curses might not work with socket forwarding. If it fails for you, try using a different pinentry.

TODO list retiring a Package Maintainer

When a Package Maintainer resigns the following list has be followed, these steps do not apply when a Package Maintainer resigns but is still a Developer.

  1. All packages packaged by the retiree should be resigned (so rebuild). Packages packaged by the retiree can be found in Archweb https://archlinux.org/packages/?sort=&q=&packager=$packager&flagged= where packager is the username on Archweb.
  2. The account of the retiree should be disabled on Archweb and added to the 'Retired Package maintainers' group. The retiree should be removed from the 'Package Maintainers' and the repository permissions should be reduced to none.
  3. The shell access to our servers should be disabled. (notably repos.archlinux.org, pkgbuild.com)
  4. The GPG key should be removed and a new archlinux-keyring package should be pushed to the repos. Create bug reports in the keyring project to remove the keys of the retired Package Maintainers.
  5. Remove the Package Maintainer group from their AUR account.
  6. A bureaucrat should remove their wiki account from the Arch Linux Package Maintainers group.
  7. A BBS admin should change their account on forums.
Retrieved from "https://wiki.archlinux.org/index.php?title=Package_Maintainer_guidelines&oldid=799837"