On 2021/01/05 21:29, Aaron Bieber wrote: > Hi, > > Here is a portgen'd port of obsdpkgup. You might remember it from > previous threads on misc@[1]. > > I have been using it for some time now. Basically one can use genpkgup > to create a package index, this index can be used by end users to create > a "slim" list of packages that need upgrading. > > You can check your packages (amd64/snapshots only) with the following > command: > PKGUP_URL="https://deftly.net/pkgup"; obsdpkgup > > This will produce a list of only the out of date packages. This list can > later be used with pkg_add to only fetch what is needed. > > OK to import? > > [1] https://marc.info/?l=openbsd-misc&m=159234132018626&w=2 >
Looking at this it's better than I thought it would be, there are some problems though - - The version number comparison using mcuadros/go-version is wrong, it doesn't match packages-specs(5). - There doesn't seem to be a way to validate that index.pkgup.gz is done against the current available package build. For this I would suggest recording the timestamp of the @digital-signature on the quirks package in the index, and verifying when the update is run. (grep out of "PKG_DBDIR=/var/empty PKG_PATH=$whatever pkg_info -f quirks" will do the trick). Between those two it could cause problems because the user may try to update a too-small subset of packages. The first problem is obvious. The second problem, if a library is bumped after the index is generated, the required updates won't show up. For both if people use it and then run into problems it's likely the bug reports will end up with openbsd rather than pkgup. This makes me not want to add it to packages yet (adding it could easily be seen as an endorsement of using it). This would be less of a problem if it at least tries to detect outdated caches and prints a clear warning. Less important but I'd be happier if it used the signature from pkg_info -qS rather than its own version using grep on +CONTENTS, to guard against possible future changes to things that pkg_add considers when deciding whether to update (also I think it would make sense to include the whole string rather than a hash of the signature, there's no need to hide that), as long as the full url/filename is used pkg_add will fetch the file directly without grabbing the index first. i.e. PKG_DBDIR=/var/empty pkg_info -qS http://mirror/pub/OpenBSD/snapshots/packages/amd64/moo-1.5p0.tgz
