[Dev] Compiling our own core packages
Josh Branning
lovell.joshyyy at gmail.com
Thu Jan 12 10:10:58 GMT 2017
On 08/01/17 15:09, Luke wrote:
> Hello everyone,
>
> Due to some serious disagreements with upstream Arch, we are going to
> start compiling our own core packages.
>
> This is involving upstream bug https://bugs.archlinux.org/task/49979
> against binutils. It is currently built with HTTP, no GPG signature, and
> no hash check. They are unwilling to fix the issue and have made several
> concerning comments.
>
> Since the secured PKGBUILD is already made, upstream has little excuse
> not to package it. We can roll out this important security fix in
> [libre] after it has been tested.
>
> All core packages should have HTTPS/GPG/SHA512 whenever possible, so we
> will be updating a few other core PKGBUILDs as well and pushing these
> updates to libre-testing.
>
> Luke
Regardless of the disagreements with Arch GNU/Linux, I think compiling
the core packages is a good idea, it will also be useful for porting to
new architectures, indeed, dagpkg could help.
I was thinking of compiling pacman on a different system (debian). Then
using pacman; get libretools and crosstool-ng; then using libretools and
dagpkg; cross compile the base packages using a cross compiler. That
way, parabola could be compiled from a different system or, as
mentioned, to a new architecture.
As it stands, dagpkg is pretty much entirely written in bash, and though
libretools has some dependencies, dagpkg alone could probably run on a
different system without installing many, or any, other dependencies.
Of course, the user wishing to compile parabola on a different system
could just install these dependencies ... but this is extra work, and I
feel that the fewer dependencies needed to compile a working system, the
better.
So, let me reiterate: From my perspective, a build server/system would
be best if it does not introduce additional (or too many additional)
dependencies, other than what's in dagpkg already, but I know that's
really up to whoever does the work and puts the effort in.
For the packages that can't be cross-compiled (hopefully only the ones
that aren't base packages, if at all), qemu would be needed to do the
rest, without switching to the host machine.
I notice that qemu-static and binfmt-qemu-static both have python2 as a
dependency, which is somewhat problematic, as python is difficult to
cross-compile without patching. Linux from scratch lists it as a
dependency, but the qemu site does not [1], so it makes me wonder if
python2 is really needed in these packages too.
All in all, I'm glad you have decided to take this route (compiling the
base packages from source), as I'm hoping it'll mean less work for me in
future.
Parabola is an excellent system, and I am very much grateful for the
time people have contributed to make it happen. :)
Josh.
[1] http://wiki.qemu.org/Hosts/Linux
More information about the Dev
mailing list