On 26/08/12 03:36, Luke Shumaker wrote:
An advantage of my design is that it does allow for integrity checks of VCS packages, rather than inserting 'SKIP' into the md5sums array. This is very important to the derivative distribution Parabola. (However, the 'SKIP' option is still valuable for URLs that track a branch)
Can you explain why this is important? That would help me understand what you are trying to achieve that can not be done with the current system. The only reason I can see to create a tarball is to distribute the source on its own. Using "makepkg --allsource" creates a full source tarball including the VCS sources. If you are worried about integrity of those VCS sources in the source tarball, adding a checksum to the PKGBUILD does nothing as the PKGBUILD can be edited too. You are best to use "makepkg --allsource" and PGP sign the resulting tarball. But perhaps I entirely missed the issue... A comment that I need to make is about the need for a separate tool to download the vcs sources. We used to have a script called "versionpkg" that dealt with VCS packages. That got merged into makepkg and my recent work was to fully integrate VCS packaging into makepkg. So going using a separate script to deal with VCS sources is really a step or two backwards. Allan