updlockfiles: Manage dependency lockfiles in PKGBUILDs for upstreams that don't ship them
by kpcyrd, short read,
I’ve released a new tool to manage dependency lockfiles for Arch Linux packages that can’t use a lockfile from the official upstream release. It integrates closely with other Arch Linux tooling like updpkgsums that’s already used to pin the content of build inputs in PKGBUILD.
To use this, the downstream lockfile becomes an additional source input in the source= array of our PKGBUILD (this is already the case for some packages).
source=("git+https://github.com/vimeo/psalm.git#commit=${_commit}"
"composer.lock")
You would then add a new function named updlockfiles that can generate new lockfiles and copies them into $outdir, and a prepare function to copy the lockfile in the right place:
prepare() {
cd ${pkgname}
cp ../composer.lock .
}
updlockfiles() {
cd ${pkgname}
rm -f composer.lock
composer update
cp composer.lock "${outdir}/"
}
To update the package to the latest (compatible) patch level simply run:
updlockfiles
This can also be used in case upstreams lockfile has vulnerable dependencies that you want to patch downstream. For more detailed instructions see the readme.
Thanks
This work is currently crowd-funded on github sponsors. I’d like to thank @SantiagoTorres, @repi and @rgacogne for their support in particular. ♥️