Build Arch packages with git sources on OBS

After the infamous xz backdoor incident there's been a general move towards building packages directly from Git sources for the sake of transparency, instead of using upstream provided tarballs.

Now, I like to build my Arch packages on the public openSUSE Build service (OBS) generously sponsored by SUSE, but building packages from Git sources poses a bit of a challenge on OBS: the public instance does not permit network access during builds and requires all sources to be present upfront along with the PKGBUILD. This prevents makepkg from fetching the git sources during build. However, with a small trick we can simply commit a “snapshot” of the source repo along with the PKGBUILD.

We'll build the small wcal utility. We start with a straight-forward PKGBUILD:

$ osc mkpac wcal
$ cd wcal
$ cat >PKGBUILD <<EOF
pkgname=wcal
pkgver=0.1
pkgrel=1
pkgdesc='ISO weekly calendar'
license=('CC0-1.0')
arch=("x86_64")
url='https://github.com/leahneukirchen/wcal'
makedepends=('git')
source=("git+${url}.git#tag=v${pkgver}")

build() {
    make -C "${pkgname}" CFLAGS="${CFLAGS}" LDFLAGS="${LDFLAGS}" PREFIX=/usr all
}

package() {
    make -C "${pkgname}" PREFIX=/usr DESTDIR="${pkgdir}/" install
}

When we run makepkg --geninteg to add the sha256sums:

$ makepkg --geninteg >> PKGBUILD

Then makepkg clones the source URL as a bare Git repository along with the PKGBUILD:

$ ls
PKGBUILD  src  wcal
$ ls wcal
config  description  HEAD  hooks  info  objects  packed-refs  refs

We can just add this bare repository to the package repo:

$ osc add wcal
wcal is a directory, do you want to archive it for submission? (y/n) y
91 blocks
A    wcal.obscpio

This creates an archive containing the bare repository, which we can commit along with the PKGBUILD:

$ osc addremove
$ osc st
A    PKGBUILD
A    wcal.obscpio
$ osc ci -m 'wcal 0.1'
Sending meta data...
Done.
Sending    wcal
Sending    wcal/PKGBUILD
Sending    wcal/wcal.obscpio
Transmitting file data ..
Committed revision 1.

The archive gets uploaded along with the PKGBUILD, and OBS automatically extracts it before running makepkg which then picks up the pre-existing bare repository and uses it as source directory. It still tries to update the repository which fails as the build as no network; this causes a spurious warning in the OBS build logs:

[   26s] ==> Retrieving sources...
[   26s]   -> Updating wcal git repo...
[   26s] fatal: unable to access 'https://github.com/leahneukirchen/wcal.git/': Could not resolve host: github.com

However, we can happily ignore this warning; the package builds successfully.

When updating the package after updating the pkgver in PKGBUILD we run makepkg --geninteg again to update the checksums in the PKGBUILD. This updates the bare repository which we then osc add again; osc warns that the .cpio archive is already under version control but updates it nonetheless.

While not as convenient as using OBS source services to have upstream tarballs fetched automatically it's worth the added build transparency.