Arch Linux User Repository

Hello, the extra ldflags breaks the devtools build:

flag provided but not defined: -flto
usage: link [options] main.o
  -B note
        add an ELF NT_GNU_BUILD_ID note when using ELF
  -E entry
        set entry symbol name
  -H type
        set header type
....

apply this patch to fix:

-    -ldflags "-X main.Version=v${pkgver} -extldflags ${LDFLAGS}" \
+    -ldflags "-X main.Version=v${pkgver}" \

Frustrating! I happen to have newly purchased an AMD machine, with a fresh install of EndeavorOS. The package builds and installs on that machine, so at the moment I'm unable to reproduce the failure.

Thank you for providing the Go version; that laptop has an Intel CPU in it, correct? So the architecture would be x86_64?

Can I please get a ticket on the project, or if that's too much work, some details about the build failure? What's the failure message? Can you provide any more information about how it is failing?

Failure occurred in build(). Been like this a while now. Go is go-2:1.20.1-1 ThinkPad t460 6.1.12-arch1-1

@deathtrip Would you mind submitting a bug report on the gotop web site? It installs on my machine, so it would be helpful to have more information -- architecture, Go version, etc -- so I can figure out why it isn't building for you.

doesn't build for me: ==> ERROR: A failure occurred in build().

The recipe you linked to (gotop-git) skips hashes. How is that better than md5sum?

Because hashes are calculated internally by git.

Again, is there a tutorial for this? I haven't seen anything in the documentation I've read that discusses github code signing and how that integrates with aur.

Code signing on github or elsewhere is a generic topic. To enable verifying signatures in PKGBUILD you need to two things: Add ?signed after git repo url in source() array:

git+https://<repo_url>?signed#tag=<tag>"

Add validpgpkeys() array:

validpgpkeys=('<full gpg fingerprint in upper case>'

You can take a look at official kernel PKGBUILD how it's done there: https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/linux&id=e95dd7f0bc971d06117aa8642e511291c8131c97

Also here's wiki article that repeats my point about integrity checking: https://wiki.archlinux.org/index.php/PKGBUILD#Integrity

The recipe you linked to (gotop-git) skips hashes. How is that better than md5sum?

Again, is there a tutorial for this? I haven't seen anything in the documentation I've read that discusses github code signing and how that integrates with aur.

Signing the packages is easily done, but harder to automate.

I didn't talk about signing packages but signing your code in github.

What I'm having difficulty understanding is that what I think I'm hearing is that someone is actually advocating an entirely manual process for building packages, and that can't be right.

In AUR case you don't build any packages, just publish recipe for that.

I already advised you to use git if you don't have the time for hash thing. You may take a look at gotop-git (https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=gotop-git) and just use stable tag instead of HEAD.

Which tutorial should I follow? The one I found and used was saying to use makepkg -g.

This confuses me; the binaries and the archives containing them are built by an automated CI system. So, what am I supposed to be not trusting here? I don't understand the "accepting whatever you just downloaded" comment.

Signing the packages is easily done, but harder to automate. What I'm having difficulty understanding is that what I think I'm hearing is that someone is actually advocating an entirely manual process for building packages, and that can't be right.

I think a pointer to a best-practices page would be great. Keep in mind that I'm not only upstream, but I'm also trying to help multiple distributions, of which Arch is only one. The fact that I'm an Arch user myself does not lessen the amount of work necessary to package a release, so while I'm happy to follow best practices, it needs to be automate-able.