Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arch package #27

Open
jonhoo opened this issue May 5, 2024 · 10 comments
Open

Arch package #27

jonhoo opened this issue May 5, 2024 · 10 comments

Comments

@jonhoo
Copy link

jonhoo commented May 5, 2024

Took the liberty of creating an Arch Linux package for this: https://aur.archlinux.org/packages/topfew

Don't know if you want to list that somewhere as part of installation instructions — if not, feel free to close :)

@jonhoo
Copy link
Author

jonhoo commented May 5, 2024

(happy to hand over ownership of it if you'd prefer)

@timbray
Copy link
Owner

timbray commented May 5, 2024

Why, thank you so much. I hate to admit it, but despite my decades of software I have never actually published this kind of command-line thing so I have no ideas what the issues are and what to watch out for. On top of which I normally live in Deb or Ubuntu. Does this mean that someone on an ordinary Arch box could type pacman -S topfew and it would just work?

I’m inclined to say “yes, thank you” and update the installation instructions, where by “update” I mean “create”. As for the ownership, given my Arch-ignorance I doubt I’d add value. Which leads to a question: Assuming you continue owning this, what do I do if/when I release 1.1.0 or even a hypothetical 2.0.0 to make sure this package gets updated? I cloned your repo and I see that it has a pkgver variable (and also that there are some go build options I need to educate myself about.

@jonhoo
Copy link
Author

jonhoo commented May 6, 2024

Happy to help! And I think you're not alone — packaging for distros I think is often seen as a dark art, even though it's often just bash all the way down. For example, all the Arch package is is this script (a "PKGBUILD" accompanied by a writing guide and a linter). This particular one is mostly a copy-paste from the Go package guidelines for Arch.

Arch has two sets of repositories, the official repositories and the Arch User Repository (AUR). In general, new packages are submitted to the latter (where anyone can submit packages), and eventually graduate into the official repositories if they see sufficient demand + maintain a high quality install script over time. pacman only installs directly from the official repositories, though a number of tools exist to wrap pacman such that it can also install from the AUR, and most Arch users have one of them installed. For those that don't, the way to install from the AUR is as follows:

git clone https://aur.archlinux.org/topfew.git
cd topfew
makepkg -i

Where makepkg is a tool provided by pacman for building packages from source using a PKGBUILD (the -i flag means "install after building"). It's what's ultimately used to build every Arch package.

In terms of owning an AUR package, the submission guidelines has a decent section on maintaining packages, which is quite short. I'd say the main two tasks for maintenance are to cut a new release of the package when there's a new upstream release and to monitor for comments on the package (you can enable email notifications). Cutting a new release is very straightforward:

  1. change the pkgver line in the PKGBUILD
  2. run updpkgsums to download the new release tarball and stick its shasum into the PKGBUILD
  3. makepkg --printsrcinfo > .SRCINFO to update the package metadata
  4. git commit && git push to release

I'm happy to just do that though — no need for you to get up to speed on a completely new ecosystem just to enable Arch folks to use the package more easily, especially when it's so little work on my part :) Can't guarantee I'll have the time in perpetuity, but for now 👍

As for what to do on your end on a release, I'd be happy to give you push rights to the package so that you can do the update process above proactively yourself, but otherwise just ping me when there's a release and I can do that quick ritual to bump the Arch package (I also already have notification for new topfew releases on GitHub).

@timbray
Copy link
Owner

timbray commented May 6, 2024

That all makes sense. I'm writing an INSTALLING.md and will include the instructions there. For the foreseeable future, I'll notify you about any releases. As for commit rights, does aur.archlinux.org have a PR-like mechanism? Rather than pushing myself, in the short term I'd be happier preparing a PR for you to look at and once it seems like I have the details right, I'd be more confident about pushing.

Also, questions:

First, the tf-linux-x86.gz binary in https://github.com/timbray/topfew/releases should run OK on arch, right?

Next I'm interested in the GOFLAGS from your PKGBUILD:

-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw

I've looked them up and I think I understand what they do. Do you have opinions as to the value they add; should I consider adding them to the standard binary-build step of the release automation? I had (perhaps naively) assumed that the go build defaults would more or less do the right thing.

@timbray
Copy link
Owner

timbray commented May 6, 2024

Oh wait, I just read https://wiki.archlinux.org/title/Go_package_guidelines and https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro - my conclusion is that there is no harm and potentially good benefits from copying those GOFLAGS. Do you agree?

@jonhoo
Copy link
Author

jonhoo commented May 9, 2024

As for commit rights, does aur.archlinux.org have a PR-like mechanism?

Sadly no. Official packages have a full-fledged GitLab instance, but the AUR is just git. Feel free to email me patches if you want to give it a try though (jon at the domain of https://thesquareplanet.com) :)

First, the tf-linux-x86.gz binary in https://github.com/timbray/topfew/releases should run OK on arch, right?

Yes, I don't see why not. The most common issue with pre-built binaries is if they're built with a newer glibc than the installation target, but that's unlikely to be the case with Arch given it's rolling release. The next most common is that the pre-built binary uses versions of system libraries that don't match what is available in the distro, but that shouldn't be the case here since the only dependency (I think) is glibc.

For go packages, builds are so fast that I'm not terribly concerned about building from source though. I think that's also generally the Arch preference to make patching, seeing what changed, matching system libraries, etc. easier. If the package becomes an official Arch package, the built package is also what is generally installed by users, so they don't pay the cost of building from source (unless they want to).

There is a preference in the Arch community to not rely on GitHub auto-created source tarballs since they aren't guaranteed to match the actual contents of the repository (or the sources used to build pre-built release artifacts), but that matters more for C projects that rely on autoconf than for things like Go projects.

[..] my conclusion is that there is no harm and potentially good benefits from copying those GOFLAGS. Do you agree?

I don't do a whole lot of Go any more these days, but the flags do seem pretty reasonable to me. I'm honestly not sure why they aren't used by go build by default, but 🤷 It could be that they make the resulting binary less portable perhaps, so depending on how important that is for you for the published binaries, that may change the calculus. I'd personally probably take the path of "make the binaries more secure by including the flags until someone complains".

@timbray
Copy link
Owner

timbray commented May 9, 2024 via email

timbray added a commit that referenced this issue May 11, 2024
addresses #28 and #27

Signed-off-by: Tim Bray <[email protected]>
@timbray
Copy link
Owner

timbray commented May 11, 2024

Anyhow, closing this issue. Will be releasing 1.1.0 soon with an INSTALLING.md

Thanks for this work!

@timbray timbray closed this as completed May 11, 2024
timbray added a commit that referenced this issue May 12, 2024
* kaizen: add -q option for quoted fields

addresses #28 and #27

Signed-off-by: Tim Bray <[email protected]>

* add missing test data

Signed-off-by: Tim Bray <[email protected]>

---------

Signed-off-by: Tim Bray <[email protected]>
@timbray
Copy link
Owner

timbray commented Jun 27, 2024

I recently released 2.0. It's a breaking change because Homebrew wouldn't take my binary name of "tf" because that's what everyone uses for Terraform, so it's just "topfew". No biggie.

@timbray timbray reopened this Jun 27, 2024
@jonhoo
Copy link
Author

jonhoo commented Jul 2, 2024

Yep, I've already pulled in 2.0 into the Linux package, though did not change the binary name. Happy to do so, though (as discussed over email) the manpage should then probably be renamed first too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants