First AUR package

This has been the most fun ride, I’m so upset I didn’t start getting into all of this sooner. Blah blah, 6 months after deciding that endeavour was the OS for me (more that it was Arch or nothing) I have pushed my first package to the AUR.

Sqlch-Suite

(it currently might not work, as I have been overupdating with excitement)

But yeah. Thanks to everyone here on the forums whose jaded ennui let me know I was making the right decision and would fit right in.

But for real, this forum is the best.

(If you can help me, or have recommendations, let me know! Even if the recommendation is “stop doing this”. I’m really just happy to say that I did it, and at one point, I downloaded and installed it and it just worked.)

• Use proper sums instead of SKIP
• Don’t put the files in the AUR repo. Have the PKGBUILD build/download them from https://github.com/SW-philip/sqlchtray

your github blurb: “a chaotic, overengineered, lovingly CLI-based internet radio system”
second-favorite line: “ Looks deceptively calm, like it’s not held together by 18 threads and a shell script”

If I can rock and roll radio, count me in.
Follow @dalto’s correct protocols for cleanup and I will install it from the AUR.
Far out.

==> WARNING: Skipping verification of source file PGP signatures.
==> ERROR: Integrity checks (md5) differ in size from the source array.
 -> error downloading sources: /home/user/.cache/yay/sqlch-suite
	 context: exit status 1

It asked for a password at this point to what I can only guess is to continue install. I declined. Never seen an MD5 error before

Someone should probably have run updpkgsums on there.

@dalto has touched on this already, but your package must be dependant on, and reflective of the upstream source, which is:

https://github.com/SW-philip/sqlch-suite

A package that does not depend on the official source would (and should) be treated with severe scrutiny, as the packager has disconnected the developers code. Skipping checksum checks, which are a means of validating source files against the origin, further exacerbates that.

Now granted of course, in this case the developer and packager are presumably the same person (SWphil), but that remains exploitable. If the correct sources are used and check-sums validated, then there doesn’t need to be a question of trusting the packager.

If I may offer some thoughts:

• There are no “Releases” or tags defined at https://github.com/SW-philip/sqlch-suite, yet package version is “3.4.1”, for reasons unclear.
• The version number is mysteriously high for an application that has a visible development history of about a week.
• The file sqlch-suite-3.4.1-1-any.pkg.tar.zst shouldn’t be in your GitHub source repository. That sort of thing should be a GitHub Release file, and referenced by your PKGBUILD.

All fair. The version release was an error and initially just a way for me to keep track of changes after losing track a couple times. I updated the version, removed the tarball, and added checksums, which currently are not there (which is a whole other rabbit hole and probably 4 other topics).

But I’m working on it. I knew the importance of organization and curation to begin with, I just got impatient. lesson learned.

UPDATES: I hope anyway.

I have been working pretty hard to make sure I don’t ever have to clean a repo up as much as I have. I’ve added the appropriate checksums, i believe I am good to go. i’m pulling the trigger because if I don’t, i never will.

thank you and let me know how right or wrong i am or was!

to make md5sum simple do md5sum filename.txt > filename.md5

i think because the md5sums array in the PKGBUILD file does not match the number of entries in the source array.

also you can just use updpkgsums that will automaticaly generate and apply sums