is there a reason not to include electron artefacts when releasing tarballs?

[ara4n]

so that packagers can then take the raw tarball when packaging up an electronified package for their distro

[z3ntu]

What I am doing right now for the Arch Linux package: https://github.com/z3ntu/PKGBUILDs/blob/80cba6c56a754135d585cc103b06df3ca21715ab/riot-web/PKGBUILD#L34 .

EDIT:
I just got the electron wrapper working from the tarball by also downloading the files

package.json
electron/src/electron-main.js
electron/src/squirrelhooks.js
electron/src/vectormenu.js
electron/riot.im/config.json

from the repository and putting them into the correct directories. I hope these are all that are needed (started riot-web and got no local 404 errors, just matrix.org 500 errors eg M_UNKNOWN: Failed to download content: An error occurred while connecting: Refusing to spider blacklisted IP address 83.166.64.17.)

[richvdh]

The electron app needs a mac to build, because aaaargh.

[z3ntu]

A source tarball with the electron stuff, like in https://github.com/vector-im/riot-web/releases but with all required electron files is meant :) Just the source for the electron app which is gpg signed.

[richvdh]

Oh. But the repo is tagged and you can download tarballs of tags from github. What am I missing?

[z3ntu]

These releases are not gpg signed which would be great.

[richvdh]

Ah, so if we signed the tags, would that be sufficient?

[z3ntu]

I just noticed that the tags are also signed with the same gpg key (as everything else) which is quite nice. Unfortunately makepkg (Arch Linux package builder) has no built-in way to verify git tag signatures, only .asc/.sig files. Apparently the ArchLinuxARM project sometimes uses a function to verify the git tag gpg stuff (see https://archlinuxarm.org/packages/arm/libsystemd/files/PKGBUILD _validate_tag function)

[ArchangeGabriel]

A patch for commit/tag signature verification is on its way for makepkg, but it won’t be here soon. Also, this should only be used when building from git (VCS packages), for releases building from a tarball is always preferred.

However like I though there is some confusion here; what we need is almost already here, probably just missing is having this file signed https://github.com/vector-im/riot-web/archive/v0.9.6.tar.gz.

@richvdh Could you tells us how https://github.com/vector-im/riot-web/releases/download/v0.9.6/vector-v0.9.6.tar.gz is done? Does it implies some sort of building from the source tarball? If so we shouldn’t even be using this file at all.

[z3ntu]

I strongly believe that something like npm build is called and the resulting stuff gets put into the release tarball.
About the git signature verification 👍👍

[richvdh]

On 21 January 2017 11:15:57 GMT+00:00, Bruno Pagani ***@***.***> wrote: @richvdh Could you tells us how https://github.com/vector-im/riot-web/releases/download/v0.9.6/vector-v0.9.6.tar.gz is done?

Haven't done it myself, but I believe the process is to check out from the git tag, then ``` scripts/electron-package.sh -v vx.x.x -c electron/riot.im/config.json ```

…

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

[ArchangeGabriel]

@richvdh Think you meant scripts/package.sh. It confirms what I thought, we shouldn’t be using the release tarball, rather the release source tarball. Need to check how this one could get signed.

[ArchangeGabriel]

@richvdh OK so basically what we would like from riot-web devs is this: https://wiki.debian.org/Creating%20signed%20GitHub%20releases

[richvdh]

Right - I've actually taken the time to look at this thread properly rather than skimming it from my phone. Sorry for earlier half-answers.

@richvdh Could you tells us how https://github.com/vector-im/riot-web/releases/download/v0.9.6/vector-v0.9.6.tar.gz is done? Does it implies some sort of building from the source tarball? If so we shouldn’t even be using this file at all.

Apologies - I misread this previously. I thought you were asking how the electron package is built. The release is made by running release.sh, which runs matrix-js-sdk's release.sh, which runs npm run dist which runs, as you correctly surmised, scripts/package.sh.

@richvdh OK so basically what we would like from riot-web devs is this: https://wiki.debian.org/Creating%20signed%20GitHub%20releases

That appears to ask us to upload a pgp signature for github's auto-generated source tarball.

It sounds completely different to me than the subject of this issue so let's move to #3024.

[ArchangeGabriel]

@richvdh Thanks for coming back to us. :)

You’re right about it being a bit different, but actually I think it is also the right answer for people who came here asking how they should package electron based riot-desktop in their distro: using the precompiled tarball is not an option in this context, only the source release one should be involved.

Note that the new ArchLinux package now use the source release: https://aur.archlinux.org/pkgbase/riot/.

[Ralith]

I'd like to see future releases include a tarball with the electron artifacts. Pulling them out of git with a build script feels very fragile.

e: to be clear, I mean the package.json and contents of the electron subdir, not electron itself, which typically comes from a separate package.

[ArchangeGabriel]

@Ralith If you’re building, why don’t you do it from the source tarball?

[Ralith]

I maintain packages for NixOS. Because they must behave reproducibly, Nix build scripts are not allowed to access the network. It doesn't seem to be possible to operate npm without network access, so building from source is impossible.

[ArchangeGabriel]

Ah, yes, npm… Part of why I don’t like it. In the meantime, I have a workaround solution for you: download both the source tarball and the release one, and extract the electron part from the source tarball to add them in your package based on the release tarball.

[turt2live]

I believe we do this nowadays. If we don't, a new issue would be appreciated.