pin version in depends for bin package

[Links2004]

Hi,

I think its a good idea to pin the versions of dependencies in the PKGBUILD for the bin package release.

libicui18n.so is the prime example for braking on updates with out any warning.
if the version where pinned then pacman prompts for unresolved dependency and ask for remove of ungoogled-chromium-archlinux which gives the users a hint to look whats going on, currently the update runs and if you want to start your ungoogled-chromium you are end up in errors like, /usr/lib/chromium/chromium: error while loading shared libraries: libicuuc.so.73: cannot open shared object file: No such file or directory which is less then ideal ;)

rebuild seems to be running https://github.com/ungoogled-software/ungoogled-chromium-archlinux/actions/runs/7241153657
but until then my main browser is broken, with the versions pinned the users get the change to delay there updates and never have a broken browser ;)

[SvenMeyer]

@Links2004 I had this problem quite often and also struggled with reverting to the previous version (actually for some reason it never worked for me).
However since moving to the OBS version, this did not happen to me for the past weeks, but (for whatever reason) they change their keys every time.
As I was desperate to find a quick solution, I found "somewhere" a script* (fix-gpg-pacman.sh) which updates all keys, that helps, but also takes always ~ 10 min
Maybe somebody with more experience has a better solution ...

* https://forum.manjaro.org/t/howto-work-around-gpg-verification-issue-on-left-behind-systems/125822

[networkException]

I don't know about pinning dependencies, it doesn't sound like good practice. The -bin package having this issue is a direct result of fundamental design decisions in Arch Linux's packaging system and I fear people will just have to deal with this given they've chosen their distribution.

For other -bin AUR packages this isn't as big of a deal, but Chromium is extremely slow to build on the free tier we have available. We might be able to improve our build infrastructure in the future, but there's a lot we have to do before that.

I can only really recommend having a second package manager (like Nix or Flatpak) installed for the time being

However since moving to the OBS version, this did not happen to me for the past weeks, but (for whatever reason) they change their keys every time.

OBS' support for Arch Linux is an awful hack

[jstkdng]

it doesn't sound like good practice

indeed since it could lead to partial upgrades. What about adding versions to the optional deps? That at least would show a message when upgrading but still allow it.

We might be able to improve our build infrastructure in the future

pretty hard to beat free 12-16 core vms. Only way I can think of is getting sponsored by some large hosting company, that would probably require that all or some maintainers doxx themselves or something though.