Re: [aur-general] Review of clickhouse-static PKGBUILD

[Mikhail f. Shiryaev via aur-general]

Tue Feb 11 23:25:09 UTC 2020 Eli Schwartz 

> "upstream recommends using vendored static linking" is not an acceptable
> reason to violate the packaging guidelines.
>
> The program *must* build using the system versions of the 46
> dependencies listed in the -static package, and the pkgname must be
> "clickhouse", not "clickhouse-static", in order to be moved to
> community; this is part of the "quality of life" care which defines a
> Trusted User's job.
>
> Among other things, this ensures that the openssl and libcurl versions
> used are the latest versions which are tracked on the security tracker
> and patched with security backports if needed -- something which is
> understandably important for anything that is communicating over the
> network.
>
> Also, libxml2 from 2 years ago, which is a bit ouch because xml is not
> exactly the least-exploited data format ever.
>
> Even linux distributions which build statically by default, will expect
> that the program link to the system's lib*.a static library packages
> rather than build a custom one.


Hello Eli,
Thank you for the full answer. So, as a conclusion, to fulfill the
requirements, every dependency must be added to [community] before the
main package, and only after that clickhouse could be added there as well.

That's understandable. Maybe, I could try to implement the regular
buildings for Arch in the repo and then will bring this topic again.

Best regards,
Mikhail f. Shiryaev



signature.asc
Description: OpenPGP digital signature

Re: [aur-general] Review of clickhouse-static PKGBUILD

[Eli Schwartz via aur-general]

On 2/10/20 5:02 AM, Felixoid via aur-general wrote:
> Hello, dear TUs and Arch developers.
> 
> I'd like to ask relative the package clickhouse-static[1]. The
> officially supported way to build ClickHouse binaries is static
> linking[2]. And my question: is it possible that the package with the
> current building structure (getting contribs like submodules in
> upstream, static linking etc.) would theoretically come to [community]
> repository?

"upstream recommends using vendored static linking" is not an acceptable
reason to violate the packaging guidelines.

The program *must* build using the system versions of the 46
dependencies listed in the -static package, and the pkgname must be
"clickhouse", not "clickhouse-static", in order to be moved to
community; this is part of the "quality of life" care which defines a
Trusted User's job.

Among other things, this ensures that the openssl and libcurl versions
used are the latest versions which are tracked on the security tracker
and patched with security backports if needed -- something which is
understandably important for anything that is communicating over the
network.

Also, libxml2 from 2 years ago, which is a bit ouch because xml is not
exactly the least-exploited data format ever.

Even linux distributions which build statically by default, will expect
that the program link to the system's lib*.a static library packages
rather than build a custom one.

-- 
Eli Schwartz
Bug Wrangler and Trusted User



signature.asc
Description: OpenPGP digital signature

Re: [aur-general] Review of clickhouse-static PKGBUILD

[Daniel M. Capella via aur-general]

On February 10, 2020 5:02:08 AM EST, Felixoid via aur-general 
 wrote:
> Hello, dear TUs and Arch developers.
> 
> I'd like to ask relative the package clickhouse-static[1]. The
> officially supported way to build ClickHouse binaries is static
> linking[2]. And my question: is it possible that the package with the
> current building structure (getting contribs like submodules in
> upstream, static linking etc.) would theoretically come to [community]
> repository?
> 
> Best regards,
> Mikhail f. Shiryaev
> 
> [1] https://aur.archlinux.org/packages/clickhouse-static/
> [2] https://clickhouse.tech/docs/en/development/style/#platform

Unlikely, but not really worth the conversation unless a team member wants to 
add it to the repos.

--
Best,
Daniel 

Re: [aur-general] Review of clickhouse-static PKGBUILD

[Felixoid via aur-general]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

It looks like mail-list has added new lines automatically,
so the signature is bad now. Here's the new one.

Best regards,
Mikhail f. Shiryaev
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEESIZn3Pa5datRJo5TOc1XU71dhW8FAl5BS68ACgkQOc1XU71d
hW/8gA/5Ac3bNFt7W/2JEa2HicnQweWNKPbHXez1GGQgFBRxB4GiVtkwfh9X2mzq
Y4hhGDs0cRCiB2JmMWpi/6DWM3oSA5M3wU6NURk2jZ/+cbwK3i6WA6Tqu+vZ6g7l
lyd7oUEh/EEokVokCYDRCYG6yytDNx/uLC1OyK2z3D6bnLsM+v7HFKolhMQBJcUj
EZIw0VI91rYKHdHfH2rgmHuDtJ/lCBFWFy6t0AJshOuexUfJ2RA2NBtjrryNTiYg
2qyr0c8IwgIXp3qaKwlzVk7Kyvr9nalx4aVfCNp8l/7Dsrflm+jQq44N/wmDFtj6
MaxNXmxzPijaA8LF/6wIJoD8Fh6hPeU4MYB4UglPvSJqeC+0enq0v5uSBsLB8WCM
Hn/b8CDY2Sd/7dituk1WPwmj6eAZGp8XzeucpRklXEhPptzTgcn+MIX4LumuBD86
bNQ6bOjS18GAbTL42cAGGblFY4jzks2ZWGl3FI71R4mftxqK9GWndThctgafLUTS
cxGMpD6aYFE0dxAP0U9ZxOTHV4U/3pbYnEHLWA6CgdOgoj1IFx+GFHeR8YfUCJhg
LGkKfjcIgI/0wfUJpMgKz7QJsUYae2tw1EvXtc5twJ9tIekHLDIquDXKZG6P5Kw/
v36iRdY0DDP0dgSwKwgxvc3mXTutfw+cSVhewdYjygSTWRU0hU8=
=qjy0
-END PGP SIGNATURE-
пн, 10 февр. 2020 г. в 11:02, Felixoid :

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Hello, dear TUs and Arch developers.
>
> I'd like to ask relative the package clickhouse-static[1]. The officially 
> supported way to build ClickHouse binaries is static linking[2]. And my 
> question: is it possible that the package with the current building structure 
> (getting contribs like submodules in upstream, static linking etc.) would 
> theoretically come to [community] repository?
>
> Best regards,
> Mikhail f. Shiryaev
>
> [1] https://aur.archlinux.org/packages/clickhouse-static/
> [2] https://clickhouse.tech/docs/en/development/style/#platform
> -BEGIN PGP SIGNATURE-
>
> iQIzBAEBCAAdFiEESIZn3Pa5datRJo5TOc1XU71dhW8FAl5AolAACgkQOc1XU71d
> hW9BsBAAjrsvRpWHLyUwFtc8iku6U6mzeOSPPG5WqgzREXBCxbniEYuDRbvUOfr5
> C4Ua8y8vzq+x42Hg82PM5hcJErftcSPcQvD1o86Omxb7ZRIkeMcWmfVKcegcOTtm
> a/4VhUb5RuriC7L8euY6jL7a3v6j047VHZPFO5HYU0OJqL40dBR1zdBcRKw8uJXi
> GvmB7nJVhdPDGHP+HrE3ke7etyHB0yv8BqiQO/EPeqR3xxok6AdZYcARx/THSskV
> j8F2G3gOVYjDnDfn2e0J7eGN3ZjjuEIJg6133Fv3sh52akvU/zFT0WEMNkO6L6YZ
> Ku9uPWZ+1oaTYpqEimRNRTrpth+JqozthlUzFn+wNOxSJuUtu6a4/Qd0RJeYW80b
> l3Qm83aTSwv5vjMpm09eD6djfD7q6XZ3U+gPrY/Ntc1AxR8R6FuRiozxOYPzR2HA
> c7JZNm2li7WnoXh5wm5f3rPJo6SfdJRDIfLPAn6gigLed4WRJKE9VCDc8WtCWwcU
> kbfi9GBD95bd1XqSXf3OGfSaAnc71dXPWr8MV23QFNrmkPbx21+d6AW0CNBTmHpg
> 6OXLWkJIRMHFxtbdk043Ne/wq05jLnF6+a5adllkwmlnI14auaR2Ud5RUN1Gy6St
> 7zu07Ozv7yM/Y9+Q154l8r7ivy7+l9tynUs0FGTHjASKSc0vFvY=
> =Knpg
> -END PGP SIGNATURE-
>
>

[aur-general] Review of clickhouse-static PKGBUILD

[Felixoid via aur-general]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello, dear TUs and Arch developers.

I'd like to ask relative the package clickhouse-static[1]. The
officially supported way to build ClickHouse binaries is static
linking[2]. And my question: is it possible that the package with the
current building structure (getting contribs like submodules in
upstream, static linking etc.) would theoretically come to [community]
repository?

Best regards,
Mikhail f. Shiryaev

[1] https://aur.archlinux.org/packages/clickhouse-static/
[2] https://clickhouse.tech/docs/en/development/style/#platform
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEESIZn3Pa5datRJo5TOc1XU71dhW8FAl5AolAACgkQOc1XU71d
hW9BsBAAjrsvRpWHLyUwFtc8iku6U6mzeOSPPG5WqgzREXBCxbniEYuDRbvUOfr5
C4Ua8y8vzq+x42Hg82PM5hcJErftcSPcQvD1o86Omxb7ZRIkeMcWmfVKcegcOTtm
a/4VhUb5RuriC7L8euY6jL7a3v6j047VHZPFO5HYU0OJqL40dBR1zdBcRKw8uJXi
GvmB7nJVhdPDGHP+HrE3ke7etyHB0yv8BqiQO/EPeqR3xxok6AdZYcARx/THSskV
j8F2G3gOVYjDnDfn2e0J7eGN3ZjjuEIJg6133Fv3sh52akvU/zFT0WEMNkO6L6YZ
Ku9uPWZ+1oaTYpqEimRNRTrpth+JqozthlUzFn+wNOxSJuUtu6a4/Qd0RJeYW80b
l3Qm83aTSwv5vjMpm09eD6djfD7q6XZ3U+gPrY/Ntc1AxR8R6FuRiozxOYPzR2HA
c7JZNm2li7WnoXh5wm5f3rPJo6SfdJRDIfLPAn6gigLed4WRJKE9VCDc8WtCWwcU
kbfi9GBD95bd1XqSXf3OGfSaAnc71dXPWr8MV23QFNrmkPbx21+d6AW0CNBTmHpg
6OXLWkJIRMHFxtbdk043Ne/wq05jLnF6+a5adllkwmlnI14auaR2Ud5RUN1Gy6St
7zu07Ozv7yM/Y9+Q154l8r7ivy7+l9tynUs0FGTHjASKSc0vFvY=
=Knpg
-END PGP SIGNATURE-