At some point it would probably make sense to replace BPO with an off-the-shelf solution. ### Reasons * More maintainers: Right now I'm maintaining BPO alone and I'm writing almost all of its code, meaning new fixes or features only get developed when I make time for it. * Getting some important features / improvements, e.g.: * #146: sign individual packages too, not only the entire APKINDEX * #149: easier administration * #57: shorter restart times * #49: better architecture that doesn't lead to timeouts * Building packages without network access (maybe unless we have `options="net"` in the APKBUILD, like in Alpine?) * Alpine is also considering to rebuild their build infra ([tsc#82](https://gitlab.alpinelinux.org/alpine/tsc/-/issues/82)), it would make it a lot easier for us if we ended up using the same software for building the package repository in the end. ### Requirements * Required: figure out how to build for all foreign architectures we support. Right now we cross compile everything on x86_64 with pmbootstrap. So either we can use pmbootstrap in `$newtool` (through configs / adding a custom build shell script that runs pmbootstrap) or we need to get builders for foreign architectures (which could also be feasible). * Required: publicly accessible logs for builds, so others can see the failures too and help fixing them * Required: nice web UI that makes it easy to understand what's going on * Required: Defer signing to a trusted signer (from Alpine's list) * Required: Support determining and build batches of packages that depend on each-other (from Alpine's list) * Required: API hook for triggering builds from our gitlab * Required: well maintained upstream * Required: secure architecture, good security practices * Required: some way to integrate it with our monitoring (could be that we write a small script that calls a bunch of APIs to figure out what jobs failed, so we can send that into the matrix chat via our monitoring) * Required: some sort of staging repository support (or maybe `home:...` like in openSUSE Build Service) * Good to have: support building images too? if not we keep bpo around for that for now and only build the packages through the new tool