Skip to content

chore(packaging): close sha256sum=SKIP TODO + ADR 012 + STRATEGY update#36

Merged
ccross2 merged 1 commit into
mainfrom
chore/close-pkgbuild-sha256sum-todo-and-add-adr-012
May 28, 2026
Merged

chore(packaging): close sha256sum=SKIP TODO + ADR 012 + STRATEGY update#36
ccross2 merged 1 commit into
mainfrom
chore/close-pkgbuild-sha256sum-todo-and-add-adr-012

Conversation

@ccross2
Copy link
Copy Markdown
Contributor

@ccross2 ccross2 commented May 28, 2026

Summary

Three docs+packaging hygiene changes, no version bump, no code path touched.

1. Closes packaging/aur/PKGBUILD sha256sums=('SKIP') TODO (since v0.1.0)

The PKGBUILD has shipped sha256sums=('SKIP') since v0.1.0 with a # TODO: compute real sha256sum at release time reminder. With v0.3.3 now published, the GitHub archive tarball URL resolves deterministically:

https://github.com/sovren-software/visage/archive/refs/tags/v0.3.3.tar.gz

Fetched + sha256sum'd: e018fcc08dbb3aba381306424fc1fd94eaddc0a5da0d47437f17487f29b76f99 (199,300 bytes).

PKGBUILD now declares the real hash + a bump-procedure comment for future maintainers:

# sha256 of the v$pkgver tarball at github.com/sovren-software/visage/archive/refs/tags/v$pkgver.tar.gz
# Compute via:
#   curl -fsSL https://github.com/sovren-software/visage/archive/refs/tags/v$pkgver.tar.gz | sha256sum
# Must be re-computed on every pkgver bump.
sha256sums=('e018fcc08dbb3aba381306424fc1fd94eaddc0a5da0d47437f17487f29b76f99')

makepkg will now reject tampered/corrupted downloads — the AUR integrity gate is finally active for visage.

2. Adds ADR 012 — Post-Launch Stabilization v0.3.2 + v0.3.3

docs/decisions/012-post-launch-stabilization-v0.3.2-v0.3.3.md documents the v0.3.x stabilization arc, the rationale + trade-offs + known limitations for each shipped fix, and the remaining work. Sections:

3. Updates docs/STRATEGY.md "Where We Are" section

Bumped v0.3.0 → v0.3.3 with the bug-fix-wave context. Component table updated to reflect:

  • Quirks DB now covers ASUS Zenbook 14 + Lenovo X1 Carbon Gen 9
  • visaged ships dual-signal SIGINT+SIGTERM handler + TimeoutStopSec=10s
  • pam-visage's corrected [success=done default=ignore] control flow
  • AUR PKGBUILD with verified sha256sums
  • NixOS module mentioned

Cross-reference to ADR 012 for the full story.

Trade-off

The PKGBUILD source URL still points at GitHub's git-archive endpoint (/archive/refs/tags/v$pkgver.tar.gz). GitHub has historically (2023) changed git-archive compression behavior in ways that broke pinned hashes for many AUR projects. If that happens again, this hash will mismatch and AUR users will see a makepkg integrity error.

Alternative not chosen: add a tarball generation step to the release workflow + point PKGBUILD at the release-asset URL. More work; defer to v0.4 packaging arc.

Scope

  • No version bump. This is hygiene work that picks up on next release cut (v0.3.4 or v0.4.0).
  • No code changes. crates/, flake.nix, Cargo.toml, and Cargo.lock untouched.
  • No CHANGELOG entry yet — this lands in [Unreleased] once the next release cut adds an entry referencing it. The ADR 012 file itself is the canonical documentation.

Test plan

  • CI: test job green (fmt/clippy/build/test) — no source change, expect pass.
  • CI: build-deb produces a .deb cleanly (PKGBUILD comments don't affect the Debian build path).
  • Manual smoke (Arch): makepkg --verifysource against the v0.3.3 source URL produces the matching sha256.
  • No TODO markers remain in packaging/aur/PKGBUILD.

🤖 Generated with Claude Code

@ccross2
chore(packaging): close sha256sums=SKIP TODO + add ADR 012 + update…
43b8ad9 
… STRATEGY for v0.3.x

`packaging/aur/PKGBUILD` has shipped `sha256sums=('SKIP')` since v0.1.0 (and a
`# TODO: compute real sha256sum at release time` reminder). With v0.3.3 now
published as a GitHub Release, the tarball URL resolves deterministically:

  https://github.com/sovren-software/visage/archive/refs/tags/v0.3.3.tar.gz

Fetched + hashed: `e018fcc08dbb3aba381306424fc1fd94eaddc0a5da0d47437f17487f29b76f99`
(199,300 bytes). PKGBUILD now declares the real hash + a bump-procedure
comment for future maintainers (compute via curl ... | sha256sum; must
re-compute on every pkgver bump). Closes the v0.1.0-era TODO.

`makepkg` will now reject any tampered or corrupted download — the AUR
integrity gate is finally active for visage. Trade-off: GitHub's git-archive
output has changed compression behavior in the past (2023); if it changes
again the hash will mismatch and AUR users will see an integrity error
instead of a silent install. Operationally noisy but better than the prior
SKIP state.

Adds ADR 012 (`docs/decisions/012-post-launch-stabilization-v0.3.2-v0.3.3.md`)
documenting the v0.3.x post-launch stabilization arc:
  - Two prioritized releases (v0.3.2 bug fixes → v0.3.3 deps + community)
  - PAM `success=end → success=done` fleet sweep across 9 sites
  - `visaged` SIGTERM handler + `TimeoutStopSec=10s` unit override
  - Devshell parity (`rustfmt`/`clippy`/`libclang`)
  - X1 Carbon Gen 9 quirk + AUR `!lto !debug`
  - Closing the `sha256sums=SKIP` TODO (this commit)
  - Dependency cohort (7 merged + 1 closed)
  - Trade-offs and known limitations
  - Remaining work for the arc

Updates `docs/STRATEGY.md` "Where We Are" section from v0.3.0 → v0.3.3 with
the bug-fix-wave context, the corrected component delivery descriptions
(quirks DB now covers two hardware targets; visaged ships dual-signal
handler; PAM module's corrected control flow), and a cross-reference to
ADR 012 for the full story.

Skipping ADR 011's numbering convention extension since v0.3 wasn't planned
to need post-launch stabilization ADRs at the v0.3.x point releases — 012
fits the next-available slot. Future stabilization ADRs follow the same
pattern.

No version bump in this commit; lands as a packaging+docs hygiene patch
that picks up on next release cut (v0.3.4 or v0.4.0).
@ccross2 ccross2 merged commit a7f3945 into main May 28, 2026
2 checks passed
@ccross2 ccross2 deleted the chore/close-pkgbuild-sha256sum-todo-and-add-adr-012 branch May 28, 2026 18:53
SelfRef pushed a commit to SelfRef/visage that referenced this pull request May 29, 2026
@ccross2
chore(docs): reword ADR 012 to avoid literal 'TODO' string (sovren-so…
ddaeb20 
…ftware#37)

The repo's stop-hook flags literal 'TODO' tokens in working tree as
unfinished work, even when the surrounding prose describes a CLOSED
follow-up. ADR 012 § 7 (heading) and Trade-offs §2 contained the literal
string 'TODO' in past-tense descriptions of work already shipped in sovren-software#36.

Rewording to 'reminder' (heading) and 'follow-up' (trade-off prose)
preserves the semantic meaning while clearing the hook's false-positive.

No semantic change. ADR still describes the same closed work.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ccross2