Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

numix-{circle-,}icon-theme-git need to track Github and update automatically #167

Closed
Hexcles opened this issue Nov 12, 2015 · 25 comments
Closed
Assignees
Labels

Comments

@Hexcles
Copy link

@Hexcles Hexcles commented Nov 12, 2015

UPDATE: the mechanism described below actually exists already (see the comments below). This is a configuration issue of the two packages (see @farseerfc 's comment for details). Changed the description of this issue accordingly.

Many (if not most) *-git AUR packages do not update their version numbers often, despite there are constantly new commits in the upstream git repo. It seems a convention that end users are expected to upgrade these *-git packages themselves, once in a while, to get the most recent version.

For example, numix-icon-theme-git. The AUR package was last updated on 2015-06-08. Yet if you check the git repo (https://github.com/numixproject/numix-icon-theme/commits/master), there are lots of commits since then, introducing new app icons and fixing bugs.

I'm thinking if we should have an automatic (probably periodic) update mechanism for these *-git packages.

@yuyichao

This comment has been minimized.

Copy link
Member

@yuyichao yuyichao commented Nov 12, 2015

lilac&nvchecker already supports this. It will not work though if the package is configured to track AUR version.

@Hexcles

This comment has been minimized.

Copy link
Author

@Hexcles Hexcles commented Nov 12, 2015

If I get you right, there is some kind of configuration for each package in the archlinuxcn repo, determining where/how the buildbot should check the new version. Right? Then it seems this is a bug of the configuration of numix-(circle-)icon-theme-git packages.

@farseerfc

This comment has been minimized.

Copy link
Member

@farseerfc farseerfc commented Nov 12, 2015

Firstly, here: https://github.com/archlinuxcn/repo/blob/master/nvchecker.ini#L1141
The packages need to track github upstreams rather than the aur.
Then here: https://github.com/archlinuxcn/repo/tree/master/numix-icon-theme-git
The packages need to have a lilac.py file to be build automatically.
The said numix-{circle-,}icon-theme-git don't seem to have them.

@Hexcles Hexcles changed the title Auto (periodic) update of *-git packages numix-{circle-,}icon-theme-git packages need to track Github and update automatically Nov 12, 2015
@Hexcles Hexcles changed the title numix-{circle-,}icon-theme-git packages need to track Github and update automatically numix-{circle-,}icon-theme-git need to track Github and update automatically Nov 12, 2015
@colinkeenan

This comment has been minimized.

Copy link
Contributor

@colinkeenan colinkeenan commented Nov 12, 2015

I have updated the packages and changed corresponding nvchecker.ini entries to track github, but I don't know how to use lilac.py. I also don't understand how I can sign a package if it's being updated automatically. I've been deciding what packages to update by using nvchecker my.ini. Tracking github, nvchecker currently reports the following versions that I've entered into old_ver.txt:

numix-circle-icon-theme-git 20151013
numix-icon-theme-git 20151111

Will these numbers change as the packages are updated on github so that nvchecker my.ini will let me know I need to do another update?

@farseerfc

This comment has been minimized.

Copy link
Member

@farseerfc farseerfc commented Nov 12, 2015

If a package is updated by lilac, it will be signed by lilac like this:

Packager       : lilac (on build machine by lilydjwg) <lilac@build.archlinuxcn.org>

Its signature is already in archlinuxcn-keyring. Currently we have 233 packages build automatically by lilacbot:

$ pacman -Slq archlinuxcn | pacman -Si - | grep "Packager" | sort | uniq -c | sort -nr
    233 Packager       : lilac (on build machine by lilydjwg) <lilac@build.archlinuxcn.org>
    109 Packager       : Unknown Packager
     82 Packager       : Felix Yan <felixonmars@archlinux.org>
     66 Packager       : yk <yk@build.archlinuxcn.org>
     20 Packager       : Felix Yan <felixonmars@gmail.com>
     12 Packager       : Zuyi Hu <hzy068808@gmail.com>
     11 Packager       : Yichao Yu <yyc1992@gmail.com>
     10 Packager       : lilydjwg <lilydjwg@gmail.com>
      9 Packager       : yuyichao <yuyichao@build.archlinuxcn.org>
      7 Packager       : phoenixlzx <phoenixlzx@archlinuxcn.org>
      5 Packager       : renyuneyun <renyuneyun@build.archlinuxcn.org>
      4 Packager       : fixme <fixme@build.archlinuxcn.org>
      3 Packager       : Jiachen Yang <farseerfc@gmail.com>
      2 Packager       : gsc <gsc@build.archlinuxcn.org>
      2 Packager       : amesists <amesists@build.archlinuxcn.org>
      1 Packager       : zsrkmyn <zsrkmyn@build.archlinuxcn.org>
      1 Packager       : Florian Pritz <bluewind@xinu.at>

To enable the automatic packaging by lilac, the packages need a lilac.py file that indicates how to build the package. For the packages from aur (those packages that don't need motifications to PKGBUILD) you can just use this template https://github.com/archlinuxcn/lilac/blob/master/templates/lilac.py-aur_simple . There are many examples in this repo too.

Lilacbot will be run on build server every night (in Beijing time). If it encounters any errors, it will send a email contains the build log.

I think it is up to each packager to decide whether to use lilac on each package.
(I am not quite familiar with nvchecker, so I cannot answer your question.)

@colinkeenan

This comment has been minimized.

Copy link
Contributor

@colinkeenan colinkeenan commented Nov 12, 2015

OK. Thank you. I will try to do it myself using nvchecker and keep an eye on the github accounts too to see if nvchecker is alerting me to updates. If it's not, I'll work on finding a way to make it see the updates.

@sunng87

This comment has been minimized.

Copy link

@sunng87 sunng87 commented Nov 20, 2015

Hi @colinkeenan , you gpg key has expired so we are no longer able to install numix-icon packages signed by that key. Could you please renew it?

@colinkeenan

This comment has been minimized.

Copy link
Contributor

@colinkeenan colinkeenan commented Nov 20, 2015

I renewed it on 11/18, 2 days ago. I have already signed package
updates since it expired.

@colinkeenan colinkeenan reopened this Nov 20, 2015
@colinkeenan

This comment has been minimized.

Copy link
Contributor

@colinkeenan colinkeenan commented Nov 20, 2015

Here is what shows for my key on my system:

 /home/colin %gpg -k
/home/colin/.gnupg/pubring.kbx
------------------------------
pub   rsa4096/0940E3F9 2014-11-18 [expires: 2016-11-17]
uid         [ unknown] Colin Keenan <colinnkeenan@gmail.com>
sub   rsa4096/EDA19F9C 2014-11-18 [expires: 2016-11-17]
@colinkeenan

This comment has been minimized.

Copy link
Contributor

@colinkeenan colinkeenan commented Nov 20, 2015

Maybe archlinuxcn-keyring needs to be updated?

@sunng87

This comment has been minimized.

Copy link

@sunng87 sunng87 commented Nov 20, 2015

@colinkeenan

This comment has been minimized.

Copy link
Contributor

@colinkeenan colinkeenan commented Nov 20, 2015

I have looked into it and realized I should have done gpg --keyserver pgp.mit.edu --send-keys 0940E3F9 after extending the expiration date. I have done that now and other keyservers should synchronize with pgp.mit.edu.

I don't know how to update archlinuxcn-keyring. Looking at the last commit when a new key was added, a lot of files were changed. I think somebody who knows what they are doing should do it. My updated key can be retrieved with gpg --keyserver pgp.mit.edu --search-keys 0940E3F9

@colinkeenan

This comment has been minimized.

Copy link
Contributor

@colinkeenan colinkeenan commented Nov 20, 2015

I have created a new issue asking that my key be updated in archlinuxcn-keyring: #170

@sunng87

This comment has been minimized.

Copy link

@sunng87 sunng87 commented Nov 20, 2015

I just get your signature updated via sudo pacman-key --refresh-keys.

But it seems you will need to sign those packages again and upload to fix this issue totally.

@sunng87

This comment has been minimized.

Copy link

@sunng87 sunng87 commented Nov 20, 2015

Some logs:

nsun@thinkless ~  $ sudo pacman-key --refresh-keys
...
gpg: key 0940E3F9: "Colin Keenan <colinnkeenan@gmail.com>" 2 new signatures
...
gpg: Total number processed: 94
gpg:              unchanged: 93
gpg:         new signatures: 2


 nsun@thinkless ~  $ pacupg
:: Synchronizing package databases...

 core is up to date
 extra is up to date
 community is up to date
 multilib is up to date
 archlinuxcn                                                                                       407.7 KiB  64.6K/s 00:06 [##########################################################################] 100%
:: Starting full system upgrade...
warning: libgcrypt15: local (1.5.4-4) is newer than archlinuxcn (1.5.4-3)
warning: python-click: local (5.1-4) is newer than community (5.1-3)
warning: python2-click: local (5.1-4) is newer than community (5.1-3)
resolving dependencies...
looking for conflicting packages...

Package (2)                              Old Version        New Version        Net Change

archlinuxcn/numix-circle-icon-theme-git  0.r2762.718e506-1  0.r2777.20e4378-1    0.01 MiB
archlinuxcn/numix-icon-theme-git         0.r1435.c77bcdd-1  0.r1437.1852164-1    0.00 MiB

Total Installed Size:  73.93 MiB
Net Upgrade Size:       0.01 MiB

:: Proceed with installation? [Y/n] 
(2/2) checking keys in keyring                                                                                              [##########################################################################] 100%
(2/2) checking package integrity                                                                                            [##########################################################################] 100%
error: numix-icon-theme-git: signature from "Colin Keenan <colinnkeenan@gmail.com>" is unknown trust
:: File /var/cache/pacman/pkg/numix-icon-theme-git-0.r1437.1852164-1-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: numix-circle-icon-theme-git: signature from "Colin Keenan <colinnkeenan@gmail.com>" is unknown trust
:: File /var/cache/pacman/pkg/numix-circle-icon-theme-git-0.r2777.20e4378-1-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

@colinkeenan

This comment has been minimized.

Copy link
Contributor

@colinkeenan colinkeenan commented Nov 20, 2015

Signing again won't change anything. I don't think you actually got my updated signature that way. If you really want to test it, get my updated key using gpg --keyserver pgp.mit.edu --search-keys 0940E3F9. If you add my key that way, you will have no problem installing packages signed by me, but others will still have issues. I think somebody has to deal with #170 that I just opened.

@colinkeenan

This comment has been minimized.

Copy link
Contributor

@colinkeenan colinkeenan commented Nov 20, 2015

OK, I see that you did get my updated keys that way, but since they aren't part of archlinuxcn-keyring, you are running into a trust issue. Putting the key in your user keyring using the gpg command above will make it trusted on your computer. Once the issue I opened is completed, it will install anyway even if you don't add my key to your user keyring.

@sunng87

This comment has been minimized.

Copy link

@sunng87 sunng87 commented Nov 20, 2015

Well, I just imported your new keys via gpg --keyserver pgp.mit.edu --search-keys 0940E3F9 successfully, but the issue is unfortunately still there.

nsun@thinkless ~  $ gpg --keyserver pgp.mit.edu --search-keys 0940E3F9
gpg: data source: http://pgp.mit.edu:11371
(1) Colin Keenan <colinnkeenan@gmail.com>
      4096 bit RSA key 0940E3F9, created: 2014-11-18, expires: 2016-11-17
Keys 1-1 of 1 for "0940E3F9".  Enter number(s), N)ext, or Q)uit > 1
gpg: key 0940E3F9: public key "Colin Keenan <colinnkeenan@gmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1


@sunng87

This comment has been minimized.

Copy link

@sunng87 sunng87 commented Nov 20, 2015

Thanks for your time and patient on this, @colinkeenan ! I will wait for archlinux-keyring to update.

@colinkeenan

This comment has been minimized.

Copy link
Contributor

@colinkeenan colinkeenan commented Nov 20, 2015

Ok. I just read https://wiki.archlinux.org/index.php/Pacman/Package_signing#Adding_unofficial_keys and see that you had one more step to make the key trusted on your computer: sudo pacman-key --lsign-key 0940E3F9. Putting it in your personal keyring wasn't necessary. I was thinking of makepkg which would've used the personal keyring.

@colinkeenan

This comment has been minimized.

Copy link
Contributor

@colinkeenan colinkeenan commented Nov 21, 2015

@sunng87, I don't know if it's really necessary to update archlinuxcn-keyring. Nobody is replying to my issue. Also, on my own machine, today I tried to install something I just built and signed, and it said it was corrupt. So, I followed your helpful example and ran sudo pacman-key --refresh-keys. For me, that was all I had to do and the package installed fine.

I will have to test this on another machine to see if I run into the same trust issue that you did, but I don't know when I will be able to do that.

@colinkeenan

This comment has been minimized.

Copy link
Contributor

@colinkeenan colinkeenan commented Nov 21, 2015

@sunng87, I just updated somebody else's laptop that had Arch Linux on it and it was already set up to use archlinuxcn. Before doing the update, I refreshed the keys. There was no issue. I then installed numix-icon-theme-git. It installed without issue. I am going to close the issue I opened yesterday because it doesn't seem to be necessary to update archlinuxcn-keyring. I don't know why your machine is complaining about my key having unknown trust. This problem is not happening on any machine I have access to.

Maybe https://bbs.archlinux.org/viewtopic.php?pid=1116263#p1116263 will solve your problem though since it solved somebody else's similar problem:
remove the /etc/pacman.d/gnupg folder and try

pacman-key --init
pacman-key --populate archlinux

I'm guessing you will also need to re-install archlinuxcn-keyring.

@sunng87

This comment has been minimized.

Copy link

@sunng87 sunng87 commented Nov 22, 2015

Thanks @colinkeenan , I have successfully installed these packages by removing /etc/pacman.d/gnupg and importing keys again.

@athrunsun

This comment has been minimized.

Copy link

@athrunsun athrunsun commented Mar 23, 2016

I resolved this issue by reinstalling archlinuxcn-keyring and then refresh keys by sudo pacman-key --refresh-keys.

@colinkeenan

This comment has been minimized.

Copy link
Contributor

@colinkeenan colinkeenan commented Mar 23, 2016

archlinuxcn-keyring was just finally updated with my proper expiration date for my key a couple days ago, so this should not be an issue again until this key again expires in November 2016. I will start setting the expiration date a few years out after this. Had no idea it was this much trouble to do it yearly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.