On 2014-06-06 07:20, Florian Bruhin wrote:
I also found some constructs to automatically get a checksum file from upstream via curl/wget - is this an encouraged thing to do? Though this one probably isn't a good idea :D md5sums=(`wget -qO- $source | md5sum | cut -c -32`)
I might be able to speak to that one a bit. Several of the packages that use some of these constructs act more like VCS packages than standard packages (e.g., they have a pkgver() function). This type of construct is incredibly helpful because it allows the integrity check to be made without the packager having to manually grab the checksums each update. Plus, if the packager has done her job well, then such a method should be equally as secure as manually grabbing the checksums (the location from which the checksums would be grabbed is the same). Admittedly, I have no idea if such a method is considered good practice, but it has seemed like a net positive to me. One final note though, the quality of packages in the User Repository (and the methods therein) have little to no bearing on the packaging techniques in [core] and [extra]. Even if the method for fetching checksums above were widely used and considered to be a good idea, it is not one I can imagine being helpful in the dev-maintained repos. -- All the best, Sam Stuewe (HalosGhost)