42
submitted 1 week ago* (last edited 1 week ago) by [email protected] to c/[email protected]

Code: https://github.com/pkgforge/soar

Soar is like linuxbrew (homebrew) but whose packages are 100% static & relocatable on any Linux Distro.

you are viewing a single comment's thread
view the rest of the comments
[-] [email protected] 2 points 1 week ago

Does it store a complete dependency graph for each of your statically built (or containerized) applications?

No. Though some of it can be inferred from the overtly verbose logs

For example, if there’s an exploit for libwebp and you need to update all the binaries that link it, can it find which binaries need updating from that information?

No again.

Currently, most packages are built from git HEAD on alpine:edge or debian-unstable build containers. So if the fix for this affected libwebp is shipped to the images that the build containers are based on (likely because we use edge/unstable images), then any affected packages would also automatically receive this fix.

To store a complete dependency graph, we will most likely need some custom tooling because our build recipes differ wildly for each package. If you have any ideas, please open a discussion on the repo. Thanks!

[-] [email protected] 2 points 1 week ago

Thanks for the reply.

Currently, most packages are built from git HEAD on alpine:edge or debian-unstable build containers. So if the fix for this affected libwebp is shipped to the images that the build containers are based on (likely because we use edge/unstable images), then any affected packages would also automatically receive this fix.

How often do packages get rebuilt? Is it only when there's a new version? The problem in that case would be that a package that is no longer developed (or has very long release cycles) would not receive the fix.

[-] [email protected] 5 points 1 week ago

How often do packages get rebuilt? Is it only when there’s a new version?

Yes, only if there's a new version.

The problem in that case would be that a package that is no longer developed (or has very long release cycles) would not receive the fix.

We specifically mark these kinds of packages as outdated (even deprecated) if they are older than 90 days

Currently, the stats:

This will improve if we can get more builders, currently we use the free CI provided by github actions

[-] [email protected] 2 points 1 week ago

Interesting, thanks!

this post was submitted on 29 May 2025
42 points (95.7% liked)

Linux

10886 readers
268 users here now

Welcome to c/linux!

Welcome to our thriving Linux community! Whether you're a seasoned Linux enthusiast or just starting your journey, we're excited to have you here. Explore, learn, and collaborate with like-minded individuals who share a passion for open-source software and the endless possibilities it offers. Together, let's dive into the world of Linux and embrace the power of freedom, customization, and innovation. Enjoy your stay and feel free to join the vibrant discussions that await you!

Rules:

  1. Stay on topic: Posts and discussions should be related to Linux, open source software, and related technologies.

  2. Be respectful: Treat fellow community members with respect and courtesy.

  3. Quality over quantity: Share informative and thought-provoking content.

  4. No spam or self-promotion: Avoid excessive self-promotion or spamming.

  5. No NSFW adult content

  6. Follow general lemmy guidelines.

founded 2 years ago
MODERATORS