On Sat, 29 May 2021 10:18:12 +0300 Pasha Finkelshteyn via aur-general firstname.lastname@example.org said:
On 21/05/28 05:28PM, Eli Schwartz via aur-general wrote:
On 5/28/21 5:10 PM, Thibault Molleman via aur-general wrote:
So, I like the Vuescan app and I respect the developer for having made it. Really glad I paid for it. BUT it has to be said that installing/updating this aur package is a disaster. Basically: the download urls and/or the checksums keep changing to the point where 90% of the time when you try to update/install it, the pkgbuild is already out of date. I emailed the developer asking if he could adopt a better download url system.
It sounds like you've done an excellent job analyzing the problem and figuring out the solution.
He replied: "No, I want people to only download VueScan from www.hamrick.com and I’m trying to figure out ways of disabling downloading from other sites."
That's a shame, but there's nothing anyone can do about it if he does.
I explained to him that downloading from a repo or via a pkgbuild is such a convenient method and one of the key selling points of using Linux tbh. But haven't received an answer back (it has only been 3 days. But still).
I really hope this 'issue' can somehow be resolved so people can properly install this great app without the constant cat-mouse game of trying to update the checksum fast enough.
The checksums will need to be updated either way in order to update the package. Your solution does mean the old version would continue to work until the PKGBUILD gets updated...
-- Eli Schwartz Bug Wrangler and Trusted User
I don't know if it's compatible with AUR/Arch policies, but what can sto us from writing python-selenium script, which will find actual download URL and will check its checksum and if it's differrent — will update everything needed?
Maybe just treat this similar to aur -git builds - the upstream can't be checksummed (sensibly) and thus are skipped. As with all AUR things - user beware and you are already told to check the PKGBUILD for anything suspicious and it's why AUR helpers are generally discouraged. If you use this AUR you take on the responsibility and risks that removing the shasums creates.