search

dhth / omm

"on-my-mind": A keyboard-driven task manager for the command line
https://tools.dhruvs.space/omm
MIT License
254 stars 3 forks source link

AUR package #2

Closed omnigenous closed 4 months ago

omnigenous commented 4 months ago

https://aur.archlinux.org/

CyberDudeJ commented 4 months ago

Honestly I'd kill for an AUR package of this

dhth commented 4 months ago

While I work on publishing an AUR package for omm, would getting linux binaries directly from a release suffice for now? Something like this:

# choose a gzipped tarball based on your architecture
curl -s -L -o omm.tar.gz https://github.com/dhth/omm/releases/download/v0.2.2/omm_0.2.2_linux_amd64.tar.gz
tar -xvzf omm.tar.gz
# move omm to a location on your $PATH
omm
dimatematik commented 4 months ago

I've published one and ready to maintain it

Could you please provide instructions on how to verify tarball signatures? I see that cosign is used, but the public key (cosign.pub) is in .gitignore

dhth commented 4 months ago

@dimatematik Thanks a lot for publishing it :)

I've added cosign.pub to the release assets. The tarballs (or any other files in the release, eg. checksum files) can be verified using:

cosign verify-blob --key cosign.pub --signature omm_0.4.1_linux_amd64.tar.gz.sig omm_0.4.1_linux_amd64.tar.gz

Since I am new to AUR packages, I have a question: The AUR package lists go as a dependency. Since I'm already publishing linux binaries, would it be easier to point the source directly to a precompiled binary (eg. the way it's done here), and remove the dependency?

omnigenous commented 4 months ago

The AUR package lists go as a dependency. Since I'm already publishing linux binaries, would it be easier to point the source directly to a precompiled binary (eg. the way it's done here), and remove the dependency?

I'm no expert either but I think that how it works:

dimatematik commented 4 months ago

Thanks for clarifying the verification process!

The use of -bin packages is a matter of debate (discussion example). Since the AUR is completely untrusted (maintainer == anyone), end users should verify that the binary was compiled by the original author of the code. As a maintainer, I am advised to validate the binary (as stated in the Arch package guidelines), but the end user cannot be sure of my honesty. The only way to verify whether a binary was provided by the code's author is through cryptographic verification. Currently makepkg natively only supports PGP keys, so checking with cosign will require the "cosign" dependency. Personally, I don't think there is a problem with the "go" dependency. The AUR is designed to store build instructions. -bin packages are typically used for heavy projects (like browsers) and proprietary software.

dhth commented 4 months ago

@dimatematik Makes sense. A non bin package with dependencies sounds good, then.

Side note: I added more details on verifying the authenticity of release assets here.

dimatematik commented 4 months ago

Well, someone published the -bin package) I think the issue can be marked as resolved