Talk:Unofficial user repositories

From ArchWiki
Jump to navigation Jump to search

32-bit PGP key id's are not secure

Shouldn't we put complete PGP key fingerprints here? The short 32-bit key ID's are trivial to spoof these days: https://evil32.com/ Ghen (talk) 13:25, 1 November 2020 (UTC)

home-thaodan flagged for removal

Hey, [1] flagged my repo for removal with wrong information. Why is that the case? My repo is up to date.

--

[1] https://wiki.archlinux.org/index.php?title=Unofficial_user_repositories&oldid=645927

Thaodan (talk) 22:02, 21 April 2021 (UTC)

Last commit in your repo is from June 12, 2019. [1] -- Lahwaacz (talk) 08:06, 23 April 2021 (UTC)
Oddly enough, the binary repo is still updated. Just not the sources... -- Alad (talk) 09:13, 23 April 2021 (UTC)

script for listing files from unofficial repositories

Flagged some repositories based on this script https://gist.github.com/rpuntaie/3e870acec5c34f643db61c073494ab72

Roland Puntaier (talk) 09:36, 19 August 2021 (UTC)

It does not matter if the "server returns 404", since the server may have directory listing disabled but still serve the files correctly. E.g. Unofficial user repositories#dasbaumwolltier: https://repo.guldner.eu/repository/archlinux/ returns 404, but https://repo.guldner.eu/repository/archlinux/x86_64/dasbaumwolltier.db works. — Lahwaacz (talk) 10:08, 19 August 2021 (UTC)
I see. You kept my flagging in some cases. I changed the script. These are returning 404 also for the db file: ashleyis dkp-linux jk-aur alucryd alucryd-multilib archlinuxgr-kde4 symbiflow-git. Why did you unflag these? Roland Puntaier (talk) 11:54, 19 August 2021 (UTC)
I think you may also need to check compressed extensions (e.g. $repo.db.tar.gz and maybe others) to have a meaningful test. I think you should probably find a way to test this with pacman itself instead of inventing new queries. At the very least hand check a few before doing bulk flagging. Alerque (talk) 12:00, 19 August 2021 (UTC)
I did add all extensions from https://wiki.archlinux.org/title/Pacman/Tips_and_tricks#Custom_local_repository, still the same 7 repos return 404. I agree that pacman should be used. I would like to provide the URL and it gives me back the list of packages, but I need to do some research regarding this. Roland Puntaier (talk) 12:32, 19 August 2021 (UTC)
You can use pyalpm to do the equivalent of pacman -Sy and pacman -Sl in Python, even with a custom config. Or use pacman directly in a shell script with custom --config, --dbpath, etc. arguments. — Lahwaacz (talk) 18:32, 19 August 2021 (UTC)
Thanks, I'll look into pyalpm. But in the meantime I added unofficialdb to the above gist, which does (url->pkg list) according pacman's repo-add (which uses bsdtar, ...).

These repo's fail: ashleyis dkp-linux jk-aur linux-nitrous mobile ownstuff-testing trinity alucryd alucryd-multilib archlinuxgr-kde4 BioArchLinux jkanetwork llvm-rc symbiflow-git. Roland Puntaier (talk) 06:05, 20 August 2021 (UTC)