How i get distfiles of a package?


#1

Recently was found a “virus” on AUR, i was wondering how can i get the distfiles variable of a template using xbps, just to make sure i am installing the rigth package(who knows).

A tried xbps-query -R <package> i get useful info of a pkg, but not the actual url that will be used to download.

Its possible to get that?


(Yuusha Spacewolf) #2

You can clone or check the repo and grep the distfiles variable.

Other than than, Void does not have an user repository so I don’t see as much risk as on the AUR.


#3

I use the git for verify the pkgs, but i was looking for something in xbps after sync with the repository itself


(Masato the Empty) #4

Generically, the URL would be
http(s)://<repo>/[<subrepo>/]<name>-<version>_<revision>.<arch>.xbps with an accompanying .xbps.sig file from the same location.

por ejemplo…
Say you’re on x86_64, glibc using repo.voidlinux.eu as your repository. When you xbps-query the packagename “opera” (a nonfree package) it would list the repository as
https:repo.voidlinux.eu/current/nonfree (which actually includes the subrepo, “nonfree”)
Name/version/rev string can be found in “pkgver”, in this case
opera-54.0.2952.46_1

Putting it together, you would build this:
https://repo.voidlinux.eu/current/nonfree/opera-54.0.2952.46_1.x86_64.xbps

When you use the -R flag, you’re querying the remote repodata, and can also specify a --repository instead of whatever you have configured. If you query a package you already have installed without the -R flag, it will tell you where you got the currently installed version.

EDIT: note that for musl, the repo would usually be some.server/current/musl followed by a subrepo if the package was from one…


#5

hmmm, i was getting that wrong, i was thinking xbps download the package from the distfile source directly like aur does, thx for clarify.


(Masato the Empty) #6

Wasn’t sure what you meant by distfiles.

Only place I really know the term being used is in reference to the upstream sources in the build system (xbps-src templates). xbps is a binary package manager so you’re downloading packages built by Void’s official buildbots, which get synced to various mirrors.

I don’t know how AUR packages work (never bothered with Arch; it was the cool new kid at a time when I wasn’t looking for anything new and resented cool kids :stuck_out_tongue: ) Didn’t realize that pkgbuilds are actually done locally, and not distributed as binaries. Definitely not what xbps does.

but in that case, it seems like makepkg is closer in its role to xbps-src (if you had a bigger unofficial fork of void-packages with lots of other user-donated templates… Void maintainers don’t seem comfortable promoting such a thing to say the least). Don’t know if pacman exposes all the AUR info used by makepkg but it seems to do the job of xbps in that case, so for things more like makepkg, you want to look at xbps-src and not xbps…

I guess things like yaourt unify the two stages (makepkg and pacman)? So if you use that then I can see where you’d expect the same of xbps.


#7

If you just want to see the exact template a package is built from and you don’t want to use git you could use a script like the following.

#!/bin/sh
# xtemplate pkg... - show template of a package

for p; do
        set -- $(xbps-query -p source-revisions -s "$p" | awk -F': ?' '{print $3" "$2}')
        curl -L "https://github.com/void-linux/void-packages/raw/$1/srcpkgs/$2/template"
done

AUR is source based, xbps is a binary package manager, xbps and xbps-src are two different projects and a normal void installation would never use xbps-src and only downloads packages built on a buildserver which uses xbps-src.


#8

:face_with_raised_eyebrow: ?


#9

thx @Duncaen i cloned the repo and make a similar script to search in my local storage, but this is very useful.

Now i get it, i was really confused with that because of template files.

@cr6

It was a shell script to retrieve machine info for a remote host. it was very simple, what makes it strange.


#10

@Nokogiri it’s not a virus. :joy:


#11

yep, thats why i used double quotes haha :smiley: , its the more generic way to call that