Tue Feb 11 23:25:09 UTC 2020 Eli Schwartz <eschwartz at archlinux.org>
> "upstream recommends using vendored static linking" is not an acceptable > reason to violate the packaging guidelines. > > The program *must* build using the system versions of the 46 > dependencies listed in the -static package, and the pkgname must be > "clickhouse", not "clickhouse-static", in order to be moved to > community; this is part of the "quality of life" care which defines a > Trusted User's job. > > Among other things, this ensures that the openssl and libcurl versions > used are the latest versions which are tracked on the security tracker > and patched with security backports if needed -- something which is > understandably important for anything that is communicating over the > network. > > Also, libxml2 from 2 years ago, which is a bit ouch because xml is not > exactly the least-exploited data format ever. > > Even linux distributions which build statically by default, will expect > that the program link to the system's lib*.a static library packages > rather than build a custom one. Hello Eli, Thank you for the full answer. So, as a conclusion, to fulfill the requirements, every dependency must be added to [community] before the main package, and only after that clickhouse could be added there as well. That's understandable. Maybe, I could try to implement the regular buildings for Arch in the repo and then will bring this topic again. Best regards, Mikhail f. Shiryaev
signature.asc
Description: OpenPGP digital signature
