On Sun, Feb 6, 2011 at 6:22 PM, Loui Chang <[email protected]> wrote: > On Sun 06 Feb 2011 17:52 -0600, Thomas Dziedzic wrote: >> On Sun, Feb 6, 2011 at 4:58 PM, keenerd <[email protected]> wrote: >> > On 2/6/11, Loui Chang <[email protected]> wrote: >> >> You probably want to grab the tarballs, and extract what's in those. >> >> The next release of the AUR will only have tarballs and PKGBUILDs. >> >> The other files won't be extracted. >> > >> > Hey, you are stealing my idea! :-) AUR3 does that, and it saves >> > several hundred megabytes. Completely worth it. >> >> I fail to see how this is worth it, imo, a better system is to convert >> to git and not track the src.tar.gz >> >> Is there a good reason for this switch? To save 450mb is not a good >> reason imo, for an incomplete listing of all the files. > > Well, there are several reasons. Lukas' commit message from commit ec0dfc2 > briefly summarizes it. > >> Automatic tarball extraction was vulnerable in different ways. Users >> should also only use source tarballs to build packages, so this has >> been removed completely. From now on, only the PKGBUILD is extracted >> in a secure manner. > > Also, > > I'm not really sure that git is the best way to distribute source > packages, but I'm glad that you're exploring different options. :D > > If I want to obtain or share a few build scripts for a few packages I > really don't want to keep a 450mb repo. > > I have heard about shallow checkouts being implemented in git though, so > maybe it could work. devtools uses subversion at least partially because > of this large checkout issue. > >
Well, whatever the case, I stayed up a while working on finishing this new version of the system. The new version syncs only the .tar.gz files, which makes it less resource hungry, and this also adds a natural ability to commit per packages :) I still need to test out deleting functionality, so if you could run the cleanup script at some point today, that would be awesome. Cheers!
