Files
Douglas Teles 6faa39c570 update: let kernel and DTB fixes flow through pacman via flash-sync
Until now anything living on the FAT boot partition (kernel Image and
the device trees) was reflash-only, breaking the promise that every
update can arrive either by rewriting the image or through pacman and
the ES update menu. Close the gap with three pieces:

- The linux package now ships the kernel image in the rootfs under
  /usr/share/bootloader/Image next to the device_trees it already
  installs, so a pacman upgrade of linux delivers both.
- archr-flash-sync copies Image to /flash/KERNEL (refreshing the
  KERNEL.md5 sidecar) and device_trees/*.dtb to /flash/dtbs, but only
  the files whose sha256 actually changed, each written as a verified
  .new temp in the same FAT directory and renamed over the original so
  the torn-write window is the rename alone. /flash/overlays (the
  user's panel overlay), extlinux, boot scripts and u-boot are never
  touched; u-boot/TPL live in raw sectors where a torn write bricks
  the card, so the bootloader intentionally stays image-flash only.
- An alpm PostTransaction hook (HookDir /etc/pacman.d/hooks) fires the
  sync whenever a transaction touches the bootloader payload.

gen-pacman-repo now prunes the .image build-plumbing directory from
packages, which would otherwise dump a duplicate raw kernel at /.image
on every update.

Hardware test pending: run archr-flash-sync by hand over SSH and check
the device still boots with the synced KERNEL and dtbs.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-07 20:10:49 -03:00
..

scripts/repo

Tooling for the GitHub-Releases-as-pacman-mirror workflow described in docs/release-policy.md. The end result is a tag like repo-stable on archr-linux/archr-repo with the assembled .pkg.tar.zst files and signed metadata.

gen-pacman-repo

Reads the finished build tree (build.*-RK3326/install_pkg/<pkg>/) that make docker-RK3326 leaves behind, packs each <pkg> directory into a <pkg>-<version>-1-aarch64.pkg.tar.zst, generates the .PKGINFO sidecar that pacman needs, and runs repo-add to build archr.db and archr.files.

Run after a successful build:

BUILD_DIR=build.ArchR-RK3326.aarch64-2026.06-devel \
OUT_DIR=/tmp/repo-out \
CHANNEL=dev \
SIGNER=                                          \
    scripts/repo/gen-pacman-repo

Then upload:

gh release create repo-dev                                \
    --repo archr-linux/archr-repo                         \
    --title "ArchR repo dev $(date +%Y%m%d)"              \
    /tmp/repo-out/*

GPG signing

For production releases, set SIGNER=<fingerprint> and have the agent (or a YubiKey-backed agent) ready. repo-add --sign will sign the .db as it walks the package list, and each .pkg.tar.zst gets a .sig as well.

The master key whose public half is bundled into the archr-keyring package must include <fingerprint> either directly or as a signed subkey, otherwise pacman-key --populate archr on the client will not extend trust to packages signed by it.

Channels and tag mapping

archr-update rewrites /etc/pacman.d/mirrorlist based on system.cfg "updates.branch":

Channel value Mirror tag on archr-linux/archr-repo
stable (default) repo-stable
next repo-next
dev repo-dev

The promotion workflow (dev -> next -> stable) is documented in docs/release-policy.md.