aur_pkgs/_docs/README
2016-07-01 21:51:28 -04:00

193 lines
11 KiB
Plaintext

######################################################################################################################################
##### AUR maintenance #####
##### #####
##### Written by Brent Saner #####
##### <bts@square-r00t.net> #####
##### Source available at https://git.square-r00t.net/AUR_pkgs Bugs at https://bugs.square-r00t.net/index.php?project=4 #####
######################################################################################################################################
I maintain[0] a lot of AUR (Arch User Repository)[1] packages for Arch Linux[2].
A lot. 45 at the time of writing this document (06.30.2016).
For the most part I don't need to do much. Watch for changes in upstream, tweak some version variables, sign the sources (if not a
direct checkout from source control package[3]), makepkg[4] to test it, and send it on its way.
But that's more time than I want to spend.
So I have some scripts to help me easily handle adding packages, maintaining them, etc. and keep it all in a nice and tidy git
repository using submodules. (In the future, I'll be offering an actual Arch repository for my packages so you can use it directly with
pacman[5]). However, it's a simultaneous goal of mine to help out users who also want to package software for the AUR. That's what this
document sets out to do.
## Preparation/Starting ##
# Customizing the Scripts #
You'll want to edit the PKGBUILD_DIR variable (submodule.update.sh, new.package.sh, and sign.package.sh), the GPGKEY variable
(new.package.sh and sign.package.sh), and the MAINTNAME variable (in new.package.sh) before running anything. If you don't have a
GPG key yet, keep reading (and remember to do it afterwards!).
# Finding a Package #
If you don't yet have a package in mind that you WANT packaged and are more interested in helping out the community, there are
a lot of packages that used to have a maintainer but no longer do. These are called "Orphan" packages.
Adopting an orphan package is a great start to getting involved with packaging as you'll have a base PKGBUILD already from the
previous maintainer and you'll be providing a package that has been desired. I recommend finding an orphan with a high number of votes[6]
to adopt. Make sure it hasn't been moved to [Community] or another Arch repository!
# Keys #
The AUR, along with being quite fast in processing packages, also is fairly secure. It uses SSH-controlled git to manage
read/write permissions (pro-tip: you can add other AUR users as co-maintainers of your packages!), and offers a place for you to put a
GPG key fingerprint to sign the sources with (which is HIGHLY recommended!).
# SSH #
While not *strictly* necessary, you can create a separate SSH key for the AUR. This is recommended, however, as it can
make for easier package maintenance across different hosts/users and separate your normal access SSH keys from your AUR access, which
is a little less of a security risk (especially since we'll be signing our packages later on).
If you have no idea what SSH public key authentication is, that's fine. We'll be generating a new key. First, I highly
recommend using either a 4096-bit RSA or a ED25519 key. For simplicity's sake, let's use ED25519 (since it's preferred[7] anyways). Run
as the user you plan on committing packages (i.e. WITHOUT sudo/NOT as the root user):
ssh-keygen -t ed25519 -o -a 100
The default paths are ideal and while password-protecting your key isn't necessary (and may get cumbersome if you plan
on updating a lot of packages at once), it's recommended.
Next we need to copy your public key (it is PERFECTLY safe to give this out, as it is designed to be publicly exposed):
cat ~/.ssh/ed25519.pub
MAKE SURE you are copying and pasting the file that ends in .pub! The file without the ".pub" at the end should be kept
totally secret, don't give it out to anyone. It should be one line only.
Hold onto that, maybe put it in a gvim session or something- you'll need it in a bit.
# GPG #
This step is also not necessary, but if you plan on using the _bin/ scripts as part of this project, it is. It also
provides added assurance for your users that YOU packaged them and increases the overall security (plus you can use your GPG key for
a whole slew of other things like encryption and the like. It's very handy!).
First you need to generate a GPG keypair (if you haven't already).
gpg --full-gen-key
You will want to make sure you have an appropriate version of pinentry linked (i.e. if you're on a terminal-only machine,
"sudo ln -sf /usr/bin/pinentry-curses /usr/bin/pinentry" on an Arch system) beforehand. The default for expiration (0) should be fine.
When prompted for the kind of key, accept the default (RSA and RSA). I recommend changing the keysize to 4096 instead of 2048 (speed isn't
a concern for us). You'll be prompted for your real name (i.e. first/last)- you can use an alias here if you have privacy concerns, but
know that you should use one that matches your AUR username AND the name you use as the Maintainer in your PKGBUILDs. You'll also be prompted
for an email- be sure to use a valid one, though feel free to use one that doesn't have your real name attached. As for comment, feel free
to put anything in here- if this is a key you're generating explicity for use with the AUR, I recommend your AUR username here, or your
personal website URL. You'll be prompted if it's okay- if you don't need to edit anything, enter "o" (without quotes).
Then you'll need to come up with a strong password. I mean really strong. It should be at least 16 random characters,
mixed-case, letters + numbers + symbols. REMEMBER IT AND DON'T WRITE IT DOWN. Re-enter to confirm.
Next it will try to generate the key- if you don't have a lot of entropy available, this can take a LOOONG time. If that's
the case, install and run "haveged".
When it's done, it'll print your key for you. It should look something like this:
gpg: /home/username/.gnupg/trustdb.gpg: trustdb created
gpg: key 9C4CD61F marked as ultimately trusted
gpg: directory '/home/username/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/username/.gnupg/openpgp-revocs.d/80E0944D76EEA7B3F063FCEB26DDA3589C4CD61F.rev'
public and secret key created and signed.
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 3 signed: 12 trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: depth: 1 valid: 12 signed: 1 trust: 1-, 0q, 0n, 6m, 5f, 0u
gpg: depth: 2 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2016-07-04
pub rsa4096/9C4CD61F 2016-07-01 [S]
Key fingerprint = 80E0 944D 76EE A7B3 F063 FCEB 26DD A358 9C4C D61F
uid [ultimate] test user (testuser) <test@email.com>
sub rsa4096/A677BC22 2016-07-01 []
Now we need to grab our key ID and fingerprint. They're essentially the same, but the Fingerprint is broken up into
four-character sections. In the above example, the full ("long") key ID is 80E0944D76EEA7B3F063FCEB26DDA3589C4CD61F, the short form is 9C4CD61F
(the last 16), and the fingerprint is 80E0 944D 76EE A7B3 F063 FCEB 26DD A358 9C4C D61F.
Hold onto that information (the key ID and fingerprint). If you forget it, you can get it again by:
gpg -K --fingerprint --with-colons <your identity> | egrep '^fpr:' | cut -f10 -d":"
Where <your identity> is the email address you have associated with the key. If you forget THAT, you can get a list of
identities you have private keys for by doing "gpg -K".
# Registering in the AUR
Make sure you register[8] on the AUR[1,9]. Add the SSH pubkey and GPG Fingerprint from above.
Once done, to test (and initialize your AUR backend repositority), do:
ssh aur@aur.archlinux.org help
If it returns "Permission denied (publickey).", make sure you have the proper public key pasted in your user settings on the AUR.
## Registering a Package ##
There are three ways to go about this:
* If it's a brand new package, simply do:
git clone aur@aur.archlinux.org:<packagename>
(where <packagename> is the name of the package you want to add. No spaces, etc.)
* If it's an orphaned package, you can simply click on the "Adopt Package" link on the right on a package's page (once logged into the AUR),
then cloning as normally.
* If it's a package that used to exist in the AUR but was removed (and doesn't exist in the Arch official repositories), you can do:
ssh aur@aur.archlinux.org restore <packagename>
(where <packagename> is the name of the package you want to reintroduce. No spaces, etc.)
Congratulations! That package now belongs to you, and it is your responsibility to keep it up to date, cleanly building, and secure. (At least
until it's hopefully adopted into the Community repository!)
## Using this Project ##
Now that you have a package (or more), you can make use of the scripts this project offers.
After cloning, you'll want to remove all of my packages (from within the directory):
git submodule deinit -f .
for i in $(find ./ -maxdepth 1 -type d | sed -re 's@\./@@g' -e '/^(\.git|_|$)/d');
do
rm -r "${i}"
rm -rf .git/modules/"${i}"
git config -f .gitmodules --remove-section "submodule.${i}"
done
And then you can add your own packages:
_bin/submodule.update.sh
Done!
## Tips/Tricks ##
I recommend using _bin/new.package.sh for adding a new package, as it uses a nice generic PKGBUILD, sets up a good .gitignore, etc.
I also encourage you to set up something similar to (and follow along with!) my devblog[10]. This provides a more detailed way of conveying
information than the sometimes lacking AUR web interface.
[0] https://aur.archlinux.org/packages/?SeB=m&K=sanerb
[1] https://wiki.archlinux.org/index.php/Aur
[2] https://www.archlinux.org/
[3] https://wiki.archlinux.org/index.php/VCS_package_guidelines
[4] https://wiki.archlinux.org/index.php/Makepkg
[5] https://wiki.archlinux.org/index.php/pacman
[6] https://aur.archlinux.org/packages/?O=0&SeB=nd&K=&outdated=&SB=v&SO=d&PP=50&do_Orphans=Orphans
[7] https://stribika.github.io/2015/01/04/secure-secure-shell.html
[8] https://aur.archlinux.org/register/
[9] https://wiki.archlinux.org/index.php/Arch_User_Repository#Submitting_packages
[10] https://devblog.square-r00t.net