[Dev] Compiling our own core packages

Josh Branning lovell.joshyyy at gmail.com
Thu Jan 12 10:10:58 GMT 2017 

On 08/01/17 15:09, Luke wrote:
> Hello everyone,
>
> Due to some serious disagreements with upstream Arch, we are going to
> start compiling our own core packages.
>
> This is involving upstream bug https://bugs.archlinux.org/task/49979
> against binutils. It is currently built with HTTP, no GPG signature, and
> no hash check. They are unwilling to fix the issue and have made several
> concerning comments.
>
> Since the secured PKGBUILD is already made, upstream has little excuse
> not to package it. We can roll out this important security fix in
> [libre] after it has been tested.
>
> All core packages should have HTTPS/GPG/SHA512 whenever possible, so we
> will be updating a few other core PKGBUILDs as well and pushing these
> updates to libre-testing.
>
> Luke

Regardless of the disagreements with Arch GNU/Linux, I think compiling 
the core packages is a good idea, it will also be useful for porting to 
new architectures, indeed, dagpkg could help.

I was thinking of compiling pacman on a different system (debian). Then 
using pacman; get libretools and crosstool-ng; then using libretools and 
dagpkg; cross compile the base packages using a cross compiler. That 
way, parabola could be compiled from a different system or, as 
mentioned, to a new architecture.

As it stands, dagpkg is pretty much entirely written in bash, and though 
libretools has some dependencies, dagpkg alone could probably run on a 
different system without installing many, or any, other dependencies.

Of course, the user wishing to compile parabola on a different system 
could just install these dependencies ... but this is extra work, and I 
feel that the fewer dependencies needed to compile a working system, the 
better.

So, let me reiterate: From my perspective, a build server/system would 
be best if it does not introduce additional (or too many additional) 
dependencies, other than what's in dagpkg already, but I know that's 
really up to whoever does the work and puts the effort in.

For the packages that can't be cross-compiled (hopefully only the ones 
that aren't base packages, if at all), qemu would be needed to do the 
rest, without switching to the host machine.

I notice that qemu-static and binfmt-qemu-static both have python2 as a 
dependency, which is somewhat problematic, as python is difficult to 
cross-compile without patching. Linux from scratch lists it as a 
dependency, but the qemu site does not [1], so it makes me wonder if 
python2 is really needed in these packages too.

All in all, I'm glad you have decided to take this route (compiling the 
base packages from source), as I'm hoping it'll mean less work for me in 
future.

Parabola is an excellent system, and I am very much grateful for the 
time people have contributed to make it happen.  :)

Josh.


[1] http://wiki.qemu.org/Hosts/Linux

More information about the Dev mailing list