Hi On Sat, Jul 18, 2015 at 1:04 PM, Gaetan Bisson <bisson@archlinux.org> wrote:
Hi,
As more of our official packages use git sources, I'd like to suggest we always enforce some kind of checksum verification. More specifically, I'd like us to avoid using straightforward source arrays such as:
source=("git://github.com/systemd/systemd.git#tag=v$pkgver") md5sums=('SKIP')
Instead I suggest we use the full commit hash. In the example above, that'd become something like:
_commit=9a50ce20ef60263a6c88c29470ce761fcc424f2d source=("git://github.com/systemd/systemd.git#commit=$_commit") md5sums=('SKIP')
Would it be better to improve *sums=() function to work with directories? This will also help svn/hg based packages. A simple solution is to tar whole directory and then calculate the checksum: tar -c $DIR | md5sum
Does that sound like a good idea?
-- Gaetan