Loui Chang wrote:
On Fri 30 Oct 2009 22:21 +1000, Allan McRae wrote:
On Fri 30 Oct 2009 15:29 +1000, Allan McRae wrote:
Jeff wrote: >> Patch [1] extends the --skipinteg option allow the generation of >> a source tarball without requiring the checking of the integrity >> checks > You've given the what, but what is the why? If the source integrity is > flawed, then the generated source package is flawed. This seems like > something that should be safeguarded against, IMO. I can come up with two use cases:
1) making a PKGBUILD for a snapshot release that is always accessible from some sort of LATEST release directory symlink. Many projects use something like that. That way the PKGBUILD does not need updated every time a snapshot is release. While it may be argued that it is better to use a svn/cvs/git/etc PKGBUILD, in many cases the snapshots are generally sanity checked before release. 2) This happens to me occasionally. Someone sends me a PKGBUILD they can not get working. I see an obvious error, fix it and send the PKGBUILD back saying "try this" because I really do not want to download the sources/dependencies to check myself. In both cases if you could omit checksums and makepkg could interpret
On Thu 29 Oct 2009 14:40 +1000, Allan McRae wrote: that as "the packager doesn't really care about integrity, skip checks". In case 2, why would I delete the checksums that are correct and supplied just because I do not want to download the source to check
Loui Chang wrote: them? How do you know they are correct if you haven't checked them? Please read case two again. I can assume they are correct given they were provided to me and I do not want to download the sources to get
Loui Chang wrote: them. I have this happen to me around once every week or two which is one of the reason I was motivated to write this patch.
You can assume sure, but you can't know. It could be a reason behind your user's problems. The only true way to maintain integrity is to do the checks.
You can look at it this way: with makepkg you are making a 'source package' so you want to maintain integrity. If you just want to send people a bunch o files, tar is a more suitable tool.
It could print a warning, and you don't need another fancy flag. Note it is not another fancy flag. It is a reuse of an already Sorry. I guess the man page needs updating. Looks like it's pretty new. Nope... man makepkg: --skipinteg Do not fail when the PKGBUILD does not contain any integrity checks, just print a warning instead.
Aha. Thanks, I see it.
implemented flag. And that suggestion would mean that instead of the current error on no integrity checks, makepkg would instead just print a warning (which is as good as being silent early in the build process). My patch, keeps that error and the user has to go out of their way to use --skipinteg. You would not type this unless you had a reason, so in the vast, vast majority of cases, the integrity checks will be performed. If you're just someone who's building (not the packager) and you're adding checksums to the PKGBUILD afterwards, you don't really know whether the source is valid or not. It's a waste of time, and a false sense of integrity to add them afterwards, and then have to use --skipinteg. What is your point here? I never said anything about adding checksums afterwards. And why would you use --skipinteg after adding checksums? I am entirely lost... Also, I see no way that not shipping checksums in a PKGBUILD would give a false sense of security. You would need to use the --skipinteg flag to build the package, which would seem to flag insecure to me.
You might add checksums to not have to use --skipinteg, but integrity actually wouldn't be insured in that case. You might use --skipinteg after adding checksums if your sources snapshot changed.
You have a point that needing --skipinteg makes the user aware of insecure/invalid sources, but that only applies when building binaries for yourself. Checksums should always be enforced when distributing binaries to others. So my suggestion of skipping checks if checksums are missing was flawed. Checks should always be enforced.
The --skipinteg flag just seems like a workaround for the lazy.
I just want to point out that I have run into yet another situation where --skipinteg when generating a source package would be useful. I am moving some packages from the Arch repos to the AUR. The md5sums are obviously correct but I am forced to download the sources. (Well, I am not as my makepkg is patched... but you get my point). This is the only case I can think of in makepkg/pacman where we force a user to do something the "correct" way. For every other check I can think of, there is a flag to stop it being performed. Allan