19 Feb
2015
19 Feb
'15
11:46 p.m.
On 02/19/2015 05:24 PM, Lukas Jirkovsky wrote:
On 19 February 2015 at 21:42, Doug Newgard <scimmia@archlinux.info> wrote:
You can't. If upstream provides a checksum, that gives you some verification, but since github doesn't, there's no way to verify any of it.
I don't know about github, but with bitbucket the checksums of these generated tarballs may change occasionally as I had this issue with luxrender. However, the sources were always the same, it was the metadata that changed.
How important are checksums to PKGBUILDS then? Should sources with varying checksums just have 'SKIP' in their integrity arrays? Regards, Mark