-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
is there a reason not to include electron artefacts when releasing tarballs? #3009
Comments
What I am doing right now for the Arch Linux package: https://github.com/z3ntu/PKGBUILDs/blob/80cba6c56a754135d585cc103b06df3ca21715ab/riot-web/PKGBUILD#L34 . EDIT:
from the repository and putting them into the correct directories. I hope these are all that are needed (started riot-web and got no local 404 errors, just matrix.org 500 errors eg |
The electron app needs a mac to build, because aaaargh. |
A source tarball with the electron stuff, like in https://github.com/vector-im/riot-web/releases but with all required electron files is meant :) Just the source for the electron app which is gpg signed. |
Oh. But the repo is tagged and you can download tarballs of tags from github. What am I missing? |
These releases are not gpg signed which would be great. |
Ah, so if we signed the tags, would that be sufficient? |
I just noticed that the tags are also signed with the same gpg key (as everything else) which is quite nice. Unfortunately |
A patch for commit/tag signature verification is on its way for However like I though there is some confusion here; what we need is almost already here, probably just missing is having this file signed https://github.com/vector-im/riot-web/archive/v0.9.6.tar.gz. @richvdh Could you tells us how https://github.com/vector-im/riot-web/releases/download/v0.9.6/vector-v0.9.6.tar.gz is done? Does it implies some sort of building from the source tarball? If so we shouldn’t even be using this file at all. |
I strongly believe that something like |
On 21 January 2017 11:15:57 GMT+00:00, Bruno Pagani ***@***.***> wrote:
@richvdh Could you tells us how
https://github.com/vector-im/riot-web/releases/download/v0.9.6/vector-v0.9.6.tar.gz
is done?
Haven't done it myself, but I believe the process is to check out from the git tag, then
```
scripts/electron-package.sh -v vx.x.x -c electron/riot.im/config.json
```
…--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
|
@richvdh Think you meant |
@richvdh OK so basically what we would like from riot-web devs is this: https://wiki.debian.org/Creating%20signed%20GitHub%20releases |
Right - I've actually taken the time to look at this thread properly rather than skimming it from my phone. Sorry for earlier half-answers.
Apologies - I misread this previously. I thought you were asking how the electron package is built. The release is made by running release.sh, which runs matrix-js-sdk's release.sh, which runs
That appears to ask us to upload a pgp signature for github's auto-generated source tarball. It sounds completely different to me than the subject of this issue so let's move to #3024. |
@richvdh Thanks for coming back to us. :) You’re right about it being a bit different, but actually I think it is also the right answer for people who came here asking how they should package electron based riot-desktop in their distro: using the precompiled tarball is not an option in this context, only the source release one should be involved. Note that the new ArchLinux package now use the source release: https://aur.archlinux.org/pkgbase/riot/. |
I'd like to see future releases include a tarball with the electron artifacts. Pulling them out of git with a build script feels very fragile. e: to be clear, I mean the package.json and contents of the electron subdir, not electron itself, which typically comes from a separate package. |
@Ralith If you’re building, why don’t you do it from the source tarball? |
I maintain packages for NixOS. Because they must behave reproducibly, Nix build scripts are not allowed to access the network. It doesn't seem to be possible to operate npm without network access, so building from source is impossible. |
Ah, yes, npm… Part of why I don’t like it. In the meantime, I have a workaround solution for you: download both the source tarball and the release one, and extract the electron part from the source tarball to add them in your package based on the release tarball. |
I believe we do this nowadays. If we don't, a new issue would be appreciated. |
so that packagers can then take the raw tarball when packaging up an electronified package for their distro
The text was updated successfully, but these errors were encountered: