Jump to content

Arch -- Pacman-5.1 – Don’t Use the Force, Luke!


securitybreach

Recommended Posts

securitybreach

A new pacman release with an article from Allan McRae (its main dev):

 

Wow ... look at all the cowebs around here! No posts in two years. But the need for a new pacman release post has dragged me back. I clearly still remembered the password, so that is a bonus!

 

As is tradition, before I get into details, I need to thank everyone for their help in making this release. Here are the top 10 committers:

 

$ git shortlogn-s v5.0.0..v5.1.0
82 Allan McRae
60 Andrew Gregory
45 Eli Schwartz
16 Ivy Foster
10 Dave Reisner
9 Christian Hesse
9 Gordian Edenhofer
8 Alastair Hughes
7 Rikard Falkeborn
6 Michael Straube

 

(I win!) Lots of new names there which is always really appreciated. And as usual a long tail of contributors submitting the occasional patch – there were 48 contributors in total.

 

Onto what has changed in this release. There is a lack of what I would call a killer feature in this release. Mostly a lot of small changes that improve usability, which is why there was so much time between releases. Here is a detailed list of changes. However, there are a few things worth highlighting.

 

There is a new option --overwrite, which is a replacement for to often misused --force(hence the release name). This allows fine grained control of what files pacman is safe to ignore conflicts with. Handling the latest upgrade requiring user intervention in Arch Linux would now look like:

 

pacman -Syu --overwrite /usr/lib/libmozjs-52.so.0

 

You can even use globs when specifying the files to overwrite. Not only is specifying exact files to overwrite a lot safer than the old --force, there are also some common sense restrictions there too (you can’t overwrite a directory with a file, or force package installs with conflicting files).

 

We have also added a --sysroot option that will replace --root. Basically, this now works the way people will expect – for example, the configuration file used is the one in the specified root, and not the local one. This does require a bit more setup while creating a new install root, but hopefully will be a lot more robust.

 

We have also added support for reproducible builds. This was mostly ensuring all files had the same timestamp and obeyed the SOURCE_DATE_EPOCH standard. We also added a .BUILDINFO file within each package, recording information about the environment a package was built in. This allows scripts to regenerate the build environment to demonstrate a package is reproducible (particularly important in rolling release distros).

 

There was also improved support for debugging packages. Split packages now produce a single debug package instead of one for each split package. This makes it easier to get all required debug symbols for a particular package (and hopefully easier for distros to carry these packages…). Also, we include relevant source files in the debug packages, allowing us to step through the code.

 

Finally, I killed off the “contrib” directory as it was taking excessive amounts of pacmandeveloper time. That means no more checkupdates, paccache, … However, this has been picked up as a separate project, which is available by installing pacman-contrib in Arch Linux.

 

As always, this is abug free release. But if you spot something you think is a bug, please file a bug report and we can assign blame – which is more important than fixing! (The pool for developer who created the first pacman bug of this release is still open at the time of posting.)

 

http://allanmcrae.com/2018/05/pacman-5-1-dont-use-the-force-luke/

  • Like 4
Link to comment
Share on other sites

The link in the post doesn't work for me.

 

Also:

 

Finally, I killed off the “contrib” directory as it was taking excessive amounts of pacmandeveloper time. That means no more checkupdates, paccache, … However, this has been picked up as a separate project, which is available by installing pacman-contrib in Arch Linux.

 

No paccache.

 

$ sudo paccache -rk 1
sudo: paccache: command not found

Link to comment
Share on other sites

securitybreach

Finally, I killed off the “contrib” directory as it was taking excessive amounts of pacmandeveloper time. That means no more checkupdates, paccache, … However, this has been picked up as a separate project, which is available by installing pacman-contrib in Arch Linux.

 

No paccache.

 

$ sudo paccache -rk 1
sudo: paccache: command not found

 

Did you install pacman-contrib as noted above????

Link to comment
Share on other sites

Just to follow up, I did install pacman-contrib, and that took care of the paccache thing.

 

I know that I shouldn't be using yaourt, and I guess there's no real need to use it anyway (anyone here using aurman, or perhaps trizen or something else?), but here's what I saw when I tried a yaourt command after all this:

 

$ yaourt -Qm
package-query: error while loading shared libraries: libalpm.so.10: cannot open shared object file: No such file or directory

 

Well, I downloaded package-query-1.9-3-x86_64.pkg.tar.xz from here: https://github.com/a...6_64.pkg.tar.xz

 

Then, I ran:

 

$ sudo pacman -U package-query-1.9-3-x86_64.pkg.tar.xz

 

After that, looks like yaourt works okay. But I mostly stay away from AUR packages, and when I need something from there I'll try to stick with the "official" manual build process. If what I posted above re: package-query was the incorrect way of doing things, feel free to jump in.

 

I run Antergos as well as Arch, but with pamac and a bunch of other stuff removed, and I have the Antergos repo moved to the lowest priority. So I didn't get that yaourt error in Antergos. I like having both Arch and Antergos installed; "contrast/compare" is a good learning approach for me. I do find that in the end I do prefer my Arch installation. (Kinda like how I prefer Debian Stable over anything based on it, but that's just me.) Antergos is very good, though, IMHO.

 

Oh, and here's a link to a related thread at the Antergos forums, if this helps anyone: https://forum.anterg...nd-other-things

Link to comment
Share on other sites

securitybreach

pacutils will provide libalpm:

community/pacutils 0.6.2-g3 [installed]

Helper tools for libalpm

 

pacman -U will generally not pull in deps. It is sort of like dpkg -i where it just installed the compiled package.

 

The reason that you didn't get the error in Antergos is because Antergos already has pacutils.

 

Oh, and I have been using trizen since December due to pacaur losing maintainer. I have always had a bad feeling towards yaourt. Yaourt used to display the PKGBUILDs after it fetched the source. They changed this behavior for the most part but it still happens sometimes. A non-official repo should never execute before letting you view the source.

 

There hasn't been a malicious package in AUR so far but it could be added easily enough if one wanted to.

Link to comment
Share on other sites

pacman -U will generally not pull in deps.

 

Even though man pacman seems to say something different?

 

	 -U, --upgrade
	 Upgrade or add package(s) to the system and install the required dependencies from
	 sync repositories. Either a URL or file path can be specified. This is a
	 “remove-then-add” process. See Upgrade Options below; also see Handling Config Files
	 for an explanation on how pacman takes care of configuration files.

Link to comment
Share on other sites

securitybreach

I know that it does not usually do that with AUR packages, only ones in the normal repos.

Link to comment
Share on other sites

abarbarian

Pacaur had lost its maintainer but has now found another, so is a viable and updated good AUR helper. I have been using it for a couple of years I think with no problems..

 

I too thought that pacaur was no longer being maintained and was advised wrongly to change to another helper.

 

The only one I got around to trying after reading around was aurman. This seems to work almost exactly as pacaur and uses pacman commands which I find very useful. It is well worth a try.

 

kxbOdOl.jpg

 

I have no idea what the dependency warning is as it is the first time I have seen it. On other occasions when running aurman there has been more information given but this update seems to be a very simple one.

 

I have not tried out trizen.

 

:breakfast:

  • Like 1
Link to comment
Share on other sites

I think I remember seeing a thread at the Arch forums on that subject, running an AUR-free Arch system. But then you turn around and an app you like using gets moved to AUR...

  • Like 1
Link to comment
Share on other sites

securitybreach

I think I remember seeing a thread at the Arch forums on that subject, running an AUR-free Arch system. But then you turn around and an app you like using gets moved to AUR...

 

Well, that only happens when a user love software that is rarely used anymore ;)

Link to comment
Share on other sites

abarbarian

I think I remember seeing a thread at the Arch forums on that subject, running an AUR-free Arch system. But then you turn around and an app you like using gets moved to AUR...

 

Well, that only happens when a user love software that is rarely used anymore ;)

 

Them Arch dev's have no soul. They dumped good old Window Maker and threw it away like a worn out sneaker. Shame on them. :ermm:

Link to comment
Share on other sites

securitybreach

I think I remember seeing a thread at the Arch forums on that subject, running an AUR-free Arch system. But then you turn around and an app you like using gets moved to AUR...

 

Well, that only happens when a user love software that is rarely used anymore ;)

 

Them Arch dev's have no soul. They dumped good old Window Maker and threw it away like a worn out sneaker. Shame on them. :ermm:

 

Well, you didn't rally enough for windowmaker

Link to comment
Share on other sites

Them Arch dev's have no soul. They dumped good old Window Maker and threw it away like a worn out sneaker. Shame on them. :ermm:

Sounds like a golden opportunity for you to become an AUR maintainer! ;)

Link to comment
Share on other sites

abarbarian
Them Arch dev's have no soul. They dumped good old Window Maker and threw it away like a worn out sneaker. Shame on them. :ermm:

Sounds like a golden opportunity for you to become an AUR maintainer! ;)

 

Do you know I would jump in like a shot but for the fact that there is already a very nice chap looking after Window Maker in the AUR. :P

 

I do have a window maker dock application that does not have a Arch package build and have been thinking about putting it in the AUR. The whole procedure looks darn complicated to a barbarian like me though. What with building it and dealing with GIT and the AUR hoops it fair makes me poor old grey cell freak out. :w00t:

Link to comment
Share on other sites

My AUR packages in Antergos:

 

$ pacman -Qm
inxi 3.0.10-2
mirage 0.9.5.2-5

 

Both of those were removed from the official repos. Here are my packages from the antergos repo:

 

$ paclist antergos
antergos-alerts 17.11.18-1
antergos-keyring 20170524-1
antergos-mirrorlist 20180526-4
antergos-wallpapers 0.7-3
antergos-welcome 0.3-2
gksu 2.0.2-7
libgksu 2.0.12-9
light-locker-settings 1.5.3-1
lightdm-webkit2-greeter 2.2.5-1
numix-frost-themes 3.6.6-1
numix-icon-theme 1:0.r1976-1
numix-icon-theme-square 1:18.02.16-1
obkey 1.0-4
openbox-menu 0.8.0-1
package-query 1.9.r380-3
plank-theme-numix 0.1-1
python-pydbus 0.6.0-1
waldorf-ui-theme 0.07-1
yaourt 1.9-1

 

I'll probably clean that up a bit when I get around to it.

Link to comment
Share on other sites

securitybreach

Mine:

 

comhack@Cerberus ~ % pacman -Qm

google-chrome 67.0.3396.87-1
inxi 3.0.10-2
ix 1.0-1
mirage 0.9.5.2-5
nnn 1.8-1
oh-my-zsh-git r4318.1c958e02-1
plex-media-server 1.13.2.5154-1
python2-sabyenc 3.3.5-1
sabnzbd 2.3.4-1
teamviewer 13.1.8286-9
trizen 1:1.50-1

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...