On Sat, 29 May 2021 22:25:45 -0400 Eli Schwartz via aur-general firstname.lastname@example.org said:
On 5/29/21 7:00 AM, Carsten Haitzler via aur-general wrote:
Maybe just treat this similar to aur -git builds - the upstream can't be checksummed (sensibly) and thus are skipped. As with all AUR things - user beware and you are already told to check the PKGBUILD for anything suspicious and it's why AUR helpers are generally discouraged. If you use this AUR you take on the responsibility and risks that removing the shasums creates.
The checksums are less about security and more about detecting things like truncated downloads, server error pages that deliver "oops, page not found" HTML content with a 200 OK response code, or captive portals that deliver "please login to this wireless network" using, again, 200 OK response codes.
But as it's an rpm - this will be found soon enough with a corrupted rpm (it's not an rpm or partial). I'm sure you can find some rpm consistency checking is able to detect this.
git builds have the advantage that the git protocol is internally able to verify that the response is a) git repos, b) didn't get corrupted by network errors, which is why they don't need or have the capability to provide checksums.
Moreover, if you did remove the checksums, you'd still have people using $SRCDEST to save repeated downloads and getting the wrong cached content instead of the updated version, so they'd see nothing available to update, or repackage old versions with a new version number. And pkgver() functions are not a solution as pkgver() runs after the sources are downloaded and cannot be used to update the values in the source=() array.
Extract it from the rpm... :) The PKGBUILD can also nuke any local files in the build dr (i.e. src) that negates that form of caching at least. If an intermediate proxy caches - then ... either way we have a failure. The pkg doesn't update - stays the same version or shasum fails to build a package. Either way - failure and user doesn't get an update. :)
If an upstream is actively trying to make things hard, we're going to have issues no matter what.