pkgver tracks the pacman git repo itself (_git_tag + optional
_git_patch_level_commit) and is set manually, not auto-computed by a
pkgver() function — a pacman version bump is a separate concern from the
bundled third-party dependency bumps below.
Bundled deps each have a _xxxver variable and are tracked via
nvchecker-deps.toml (archpkg source, i.e. compared against current Arch
package versions): c-ares, nghttp2, curl, openssl, brotli, zlib, xz,
bzip2, zstd, libarchive, libgpg-error, libassuan, gpgme, libseccomp.
scripts/check_for_updates_maintained.sh runs
nvchecker -c nvchecker-deps.toml for this package (and libarchive-static)
unconditionally at the top of the script, before the main UPD/OK/? loop —
its output isn’t part of the OK/UPD/? summary table, it only shows up as
log lines in stderr (STATES.stderr). Check STATES.stderr for
“updated from X to Y” lines — that’s the actual signal that a bundled
dependency here (or in libarchive-static) needs bumping, since the
version-check table doesn’t cover these deps at all.
nvchecker’s old/new comparison files (nvchecker-old.txt,
nvchecker-new.txt) must be kept in sync manually: after successfully
bumping deps and building, cp nvchecker-new.txt nvchecker-old.txt so the
next run doesn’t re-report already-applied bumps as new. If deps are
unchanged, old/new are already identical and nothing to do.
2026-07-02: bumped curl 8.20.0->8.21.0, gpgme 2.1.0->2.1.2, libarchive
3.8.7->3.8.8 (all per nvchecker-deps.toml diff), pkgrel 12->13 (pkgver
itself unaffected, it’s the pacman git version). updpkgsums + rebuilt
.SRCINFO. Built cleanly on x86_64, i686, pentium4, i486.
Same known-harmless noise as libarchive-static: namcap SPDX-license /
RELRO / PIE / unstripped warnings and the chroot’s broken
pyalpm/libalpm namcap crash — none of these indicate a real build
failure, check for the produced .pkg.tar.xz instead.
2026-07-07, private-repo release pass: this package’s
PKGEXT=.pkg.tar.xz override (line ~144 of the PKGBUILD, deliberate —
“keep using xz-compressed packages… to recover on systems with broken
zstd support”) tripped a real bug in repo_release.sh, which hardcoded
a .pkg.tar.zst-only glob for sign/publish. Build succeeded but the
script reported ERROR: no *.pkg.tar.zst found ... after build. Fixed
by making repo_release.sh collect every valid package extension
(.gz/.bz2/.xz/.zst/.lz) — see memory/libarchive-static.md
for the same issue there. Signed and published successfully afterward
from the already-built .xz artifacts.