Received: from mail-lj1-f182.google.com (mail-lj1-f182.google.com [209.85.208.182])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 5753C78188E
	for <~alpine/devel@lists.alpinelinux.org>; Mon, 30 Dec 2019 12:55:47 +0000 (UTC)
Received: by mail-lj1-f182.google.com with SMTP id u1so33199131ljk.7
        for <~alpine/devel@lists.alpinelinux.org>; Mon, 30 Dec 2019 04:55:47 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:subject:message-id:mime-version
         :content-transfer-encoding;
        bh=vLMlHvd1eMqo6qhEIBiwP7u4sJqZJ/X9BYHjFQ/xOPQ=;
        b=dLwQvrawB+beLIuyyee9N3/42WY0ASWXgMyaK0oULkftUql22EbAwOZFSfcwlRDF7e
         WmRZzXW+hC9HlEqwjdtBZ+YofF2gs0gd/bV4b5Y+FB0AFQv8lx2Z5xFgfn0Az5AIXIoL
         CEvZlfttnJyM2+iprgxiSF7P4L/jif37I6hhxS623AJrlFlN1vyqK4ye9nsqjYzT1Ldu
         1PU1OI0pCQ/lawUAj2cayiCg8585fC8bWdDqxeXTGtt0p3iFTw4c/M/QAoSOyggk8X7R
         hY+sk678DRpGgnBa7xMeS1NhB6d8K1sVMfsACW+DmYKkQufX6qYaB6gkQFrfFxBpMi3z
         at2Q==
X-Gm-Message-State: APjAAAW+UIoCKAyEJdQd7WMZfgvW4gWnqDwitWVW8JE3MT9TEsaAhwOe
	rGOHALePcBTh7suo9WGuMFUcPEkK
X-Google-Smtp-Source: APXvYqwxWenr1tMugyJ0+MLuY5lLPC2psz0c+xlrwP8vBHaYMip1Am0XA6oObsJgunfW3FpLMRKlew==
X-Received: by 2002:a2e:909a:: with SMTP id l26mr19171004ljg.209.1577710546082;
        Mon, 30 Dec 2019 04:55:46 -0800 (PST)
Received: from vostro (87-100-234-203.bb.dnainternet.fi. [87.100.234.203])
        by smtp.gmail.com with ESMTPSA id z3sm17666147ljh.83.2019.12.30.04.55.45
        for <~alpine/devel@lists.alpinelinux.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 30 Dec 2019 04:55:45 -0800 (PST)
Date: Mon, 30 Dec 2019 14:55:42 +0200
From: Timo Teras <timo.teras@iki.fi>
To: ~alpine/devel@lists.alpinelinux.org
Subject: new package format and repository layout changes
Message-ID: <20191230145542.1a7ca9cf@vostro>
X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Hi all,

I am currently going through the list of data that goes to a package
and a repository index, as well as the installed db. And trying to
draft the first schema version of what data goes where. So I am now
having some issues I'd like to discuss here.

1. Repository pinning

There's one fundamental issue in the current installed-db that causes
pain - especially when we do strong signing. This is how the package
pinning is done (the "@edge" tagging to enable specific repositories
for specific dependencies only).

Main problem is that the package origin repository needs to be tracked
for detecting pinning changes and it's not in the package meta data
currently. The current workaround is to have the origin tag in
installed-db which means there's data that cannot be signed ahead of
time. There's also some other subtle issues.

My thinking is to start putting the repository meta data (distribution
name, branch, component etc.) in the package. This way the package
origin is known and signed.

2. repositories list format

If the above happens, we might need to do some changes how the tags are
specified.

There was some discussion earlier if we should support more debian
style definition of listing the distro repositories. E.g.
  http://dl-cdn.alpinelinux.org/alpine edge main community

Where the first word is the base URL (or perhaps even some $MIRROR
variable). The second word the distribution branch. And remaining words
would be the list of enabled repositories.

I think the package naming could then be:
  $base_url/$branch/$repo/$arch/$pkgname-$pkgrel.$uniqueid.$arch.apk
and automatically constructed from the package metadata.

(Also wondering if the $uniqueid should be just random generated uuid,
or some sort of hash calculated from the package metadata and contents.
The requirement is that it can be used to identify if two packages are
the same or not.)

3. 'noarch' handling

When implementing the above, I would finally like to properly implement
the 'noarch'. Currently the sources set 'noarch' and build subpackage
properly. But they are put to the target architecture's storage and
when creating index the arch is rewritten to the target arch always.
The plan is to start creating real 'noarch' repository and put the
built package there. I'm wonder if we'd put separate index there, or
include the noarch packages also in the target arch index.

4. version handling

Sort of unrelated, but something I'd like to also bring up once again.
Since now that if we do proper distribution / branch tracking. And the
package downgrades happen at times. I'm wondering if we should make the
package version "informative" only. And use the build_time to decide
which package is the "preferred version". In most cases it is the
latest built package from the repository we want to be using.

Alternative would be introduce some sort of concept similar to
debian/pacman package "epoch".

Though another way to look at it that the buildtime is the
automatically generated epoch number. :)

--

Any thoughts, comments or concerns regarding the above planned changes?

Thanks,
Timo