Arch Linux User Repository

pacman supports parallel downloads natively now if you're having problems with powerpill

Why do I keep getting 403 Forbidden when trying to download Powerpill or just visit Xyne's page?

:: Starting the build:
==> Making package: python3-memoizedb 2021-4 (Sat Aug 20 16:13:12 2022)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Downloading python3-memoizedb-2021.tar.xz...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0    16    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (22) The requested URL returned error: 403
==> ERROR: Failure while downloading https://xyne.dev/projects/python3-memoizedb/src/python3-memoizedb-2021.tar.xz
    Aborting...

Hi, just for clarification: My issue was due to the same name of the tar.xz and .tar.xz.sig files. I cache my aur files instead of using /tmp and trizen does not redownload those files if they already exist. So I was left with the old files and the new PKGBUILD which caused the verification error.

It shouldn't affect most users that download into a fresh directory. Leaving the checksum for the .sig out would have helped in this case. But since the file was only re-signed the same package was just reinstalled. It's kind of an edge case. Thanks for maintaining it, Xyne.

Some remarks, in no particular order:

• The error is probably due to the switch to my new TU signing key, not the checksum. Import that to your user key ring. The current PKGBUILD works fine for me with makepkg.
• All of my current PKGBUILDs are automatically generated via my release scripts, including any checksums for signature files. The signature checksums have never been a problem.
• I am currently restructuring and rewriting my entire release framework, which will involve several improvements over the hacky mess that I wrote 10 years ago. If I choose to omit the checksums for the signature files, it will have to wait until that's ready.

Re @JoeCool's remark: I think the solution to this issue would be to skip the checksum verification of the signature file, as per Arch convention.

@Xyne, if you run $ makepkg --geninteg >> PKGBUILD in the repo dir which contains this PKGBUILD, you'll find that it generates the following checksums for the sources:

sha512sums=('a4a1067a020056bd258d8a00c60a3fcd8ea3aa745c52a6f5e29f76f7a6d5e93d4a4c612139a8b746aa5ebbd9307c977edd95ca882e9054537757142ea550bf5'
            'SKIP')

@cyqsimon, could you please explain? What would semantic versioning solve, and how?

Please use semantic versioning. It helps avoid problems like this.

Hi Xyne,

when using trizen it looks like a different problem with the md5sums for most of your AUR packages. I get

==> Validating source files with md5sums...
    powerpill-2021.11.tar.xz ... Passed
    powerpill-2021.11.tar.xz.sig ... FAILED
==> ERROR: One or more files did not pass the validity check!

for many of your packages.

For Powerpill, the pkgrel=4 md5sum that was in the old PKGBUILD is correct instead of the one from pkgrel=4

Trizen seems to see the existing files and not redownload.

Deleting the existing files with the same name fixes this issue.