On Sun 06 Feb 2011 17:52 -0600, Thomas Dziedzic wrote: > On Sun, Feb 6, 2011 at 4:58 PM, keenerd <[email protected]> wrote: > > On 2/6/11, Loui Chang <[email protected]> wrote: > >> You probably want to grab the tarballs, and extract what's in those. > >> The next release of the AUR will only have tarballs and PKGBUILDs. > >> The other files won't be extracted. > > > > Hey, you are stealing my idea! :-) AUR3 does that, and it saves > > several hundred megabytes. Completely worth it. > > I fail to see how this is worth it, imo, a better system is to convert > to git and not track the src.tar.gz > > Is there a good reason for this switch? To save 450mb is not a good > reason imo, for an incomplete listing of all the files.
Well, there are several reasons. Lukas' commit message from commit ec0dfc2 briefly summarizes it. > Automatic tarball extraction was vulnerable in different ways. Users > should also only use source tarballs to build packages, so this has > been removed completely. From now on, only the PKGBUILD is extracted > in a secure manner. Also, I'm not really sure that git is the best way to distribute source packages, but I'm glad that you're exploring different options. :D If I want to obtain or share a few build scripts for a few packages I really don't want to keep a 450mb repo. I have heard about shallow checkouts being implemented in git though, so maybe it could work. devtools uses subversion at least partially because of this large checkout issue.
