pacman is amazingly fast, lightweight and no-bullshit package manager in my eyes, but looks like it was not designed with few crucial things in mind.

makepkg does not provide a convenient way of creating split packages

PR what addresses this issue: WarmLinux/pacman#1

Yup, see this libtool commit, previously I had to move libraries between $pkgdir and $srcdir to split packages, but since I added $splitpkgdir, I can simply keep $pkgdir for running program author’s way of install and then move content around by hand.

Neat, isn’t it? I think so as well, especially after seeing packaging results:

# du -sh libressl*.pkg*
888K    libressl-2.8.2-1-x86_64.pkg.tar.xz
1004K   libressl-dev-2.8.2-1-x86_64.pkg.tar.xz
1.1M    libressl-doc-2.8.2-1-x86_64.pkg.tar.xz
172K    libressl-utils-2.8.2-1-x86_64.pkg.tar.xz

Imagine still having everything in one package - that’s where for example Arch Linux fails with packages (friends reported Debian sid’s minimal install being smaller than Arch Linux’s - that is without documentation and development headers/libraries)

Warm Linux splits packages so end users could keep their systems small as possible.

makepkg leaks system information

PR what addresses this issue: WarmLinux/pacman#2

Dumping installed packages while packaging might sound great debugging resource for package maintainers - which indeed, is sometimes really valuable information, can be used to mine data from personal systems.

Consider this scenario:

  1. Build server builds packages and hosts them over http(s) server.
  2. Build server also runs outdated http(s) server, which is vulnerable and RCE can be done.
  3. Someone extracts given information of packages, which are quite verbose.
  4. That someone gets access to the build server.

Of course, there are many different ways to protect build server and those are probably recommended over simply hiding an information, but having potentially useful information hidden from prying eyes is the first step of not getting targeted.

There might be more improvements coming soon, keep your eyes on Warm Linux’s pacman fork git repository