Never install packages onto this host to work around a build problem
(e.g. pacman -S <pkg> on the host to satisfy a missing dependency).
The archbuild chroots (extra-<arch>-build, archlinuxaba-x86_64-build
— see REPO_PUBLISH_DESIGN.md) exist precisely so package installs for
a build happen in an isolated, disposable environment; the host’s own
package set stays untouched. If a build needs a package, that has to
come from the chroot’s own dependency resolution (fixed by adding
packages to this tree, adding a missing makedepends, or — for
intra-tree dependencies — building+publishing the dependency first so
archlinuxaba-x86_64-build’s own repo config picks it up).
Exception: gpg --recv-keys for a PGP signature the build needs to
verify a source is fine to run on the host. That’s a normal part of
actually doing the build (makepkg’s source-verification step uses the
invoking user’s own GPG keyring), not “installing software” in the
sense the rule above means. Example: importing key 95FA6F43E21188C4
for maintained/arduino/maintained/arduino-builder, 2026-07-07.
Read-only inspection commands on the host (pacman -Si <pkg> to check
if something exists upstream, command -v <tool>) were never in
question either way — the policy is about installing/modifying host
state, not querying it.
Established 2026-07-07 during the “build all packages for x86_64”
private-repo release pass, after drafting a few host-level fix
suggestions for missing dependencies/keys while triaging build
failures.