On 19/02/15 11:39 PM, Mark Lee wrote:
On 02/19/2015 05:46 PM, Mark Lee wrote:
On 02/19/2015 05:24 PM, Lukas Jirkovsky wrote:
On 19 February 2015 at 21:42, Doug Newgard <scimmia@archlinux.info> wrote:
You can't. If upstream provides a checksum, that gives you some verification, but since github doesn't, there's no way to verify any of it.
I don't know about github, but with bitbucket the checksums of these generated tarballs may change occasionally as I had this issue with luxrender. However, the sources were always the same, it was the metadata that changed.
How important are checksums to PKGBUILDS then? Should sources with varying checksums just have 'SKIP' in their integrity arrays?
Regards, Mark
Furthermore, if the integrity check is different from upstream, is a packager obligated to host a copy of the source code for GPLed software?
Regards, Mark
No... the integrity check not matching is not because an out-of-tree source tree was used. The checksums are certainly not there to improve security, that's what GPG signatures are for.