Every so often somebody says something (such as this forum post), or does something unwise in the recipe store (binary Firefox 3 beta recipe) suggesting they don’t know just how simple it is to create your own store to put packages you build or unstable recipes you write into. For GoboLinux, the format is extremely simple, and the tools make it pretty easy as well.
Both recipe and package stores are very similiar; in both cases, it’s a web-accessible directory of .recipe.tar.bz2 or –i686.tar.bz2 files, containing at least a file named “MANIFEST” listing out those filenames. You can generate that file with `ls > MANIFEST`. There’s a second file, MANIFEST.bz2, that’s a compressed version of the same.
That’s all that’s actually necessary to set up a repository – the URL of that directory can be added to getRecipeStores or one of the lists in GetAvailable.conf, and your recipes or packages will automatically be included by all of the tools, including Freshen.
You can generate the package tarballs with the `CreatePackage` command, and they will be signed with your GPG key if you have one. That key won’t be in the default keyring, so the packages will fail verification when installed. You can either ensure they’re unsigned, or have users of your repository import your key into the system keyring: `gpg –no-default-keyring –keyring=/Programs/Scripts/Current/Data/gpg/goboring.gpg –recv-keys 8B3A4A5B` will pull in mine, for example. Then people will be able to determine that the packages haven’t been modified and that they come from you, so they can decide whether to trust you to build them or not.
Now, to be honest, I strongly advise against anybody using some external package repository you haven’t created yourself. It’s just a bad idea to install opaque blobs of software you can’t know anything about. If they’re signed, you know they’re from the same person each time, and if the signing key’s in the strong set you have a reasonable assurance of who that person really is, but it’s still pretty unwise to do willy-nilly.
Experimental recipe repositories are a good idea, though – just think it through before you decide to use the unstable recipes. I set one up at http://mwh.geek.nz/files/gobo/recipes/experimental/ to contain recipes I’ve built that are or need unreleased versions of software, and anybody else in that situation would be advised to do the same. GoboLinux makes it very simple to add software to the packaging system, unlike most distributions, and creating your own repository is easy as well for when you need it.