----------------------------------------
From: adys.wh@gmail.com Date: Tue, 22 Oct 2013 01:56:16 +0100 To: aur-general@archlinux.org Subject: [aur-general] Support for remote sums in PKGBUILDs
Breaking away from an IRC convo from this morning; has support for remote sums been considered for pacman? It's currently possible to do this for .sig files (through the source array), but not available for simple sha/md5 hashes. This would let packagers do something like: source=("http://example.com/downloads/$pkgname-$pkgver.tar.xz") sha1sums=("http://example.com/downloads/$pkgname-$pkgver.tar.xz.sha1")
(Of course, only for servers that generate a programmatically discoverable hash of some sort; but it's not actually uncommon)
J. Leclanche
Couldn't you just do: sha1sums=("$(curlĀ http://example.com/downloads/$pkgname-$pkgver.tar.xz.sha1)") It kind of defeats the purpose, though. If the server is hacked or someone does a MitM, they can easily replace the checksum file as well.