On 06/05/10 11:10, Dan McGee wrote:
On Wed, May 5, 2010 at 7:51 PM, Allan McRae<allan@archlinux.org> wrote:
3) 5d911ae makepkg: allow skipping integrity checks when making source package
And here is the fun one... "makepkg --source" currently requires checking all checksums. Using "-source --skipinteg" does not skip this, which in itself makes little sense to me. The argument that this stops people distributing packages with bad checksums is flawed. There is nothing stopping them doing that now. They just have to not use makepkg when creating the tarball, which could lead to even worse PKGBUILDs being distributed as none of makepkg's other checks would be performed.
Part of me says this is at least a barrier they would have to work to cross and defeat, and just downloading the darn source would be quicker for most. I do understand that a quick `tar czf` would circumvent the whole thing, but it has become so easy to create source packages that I don't feel many people even think about it this way anymore. Correct me if I'm wrong.
Admittedly, this patch will see little use. I used to use it in combination with #2 when checking that a modified patch compiled on both my i686 and x86_64 machines. Now that I build both architectures on one machine, this is of less use to me. I have also used it when commenting on a PKGBUILD that was sent to me with a query about the best way to implement something. There I modified some of the build() function to be clearer and sent it to the author saying I would use this approach but it is not tested. Note I could have used tar manually (in fact the tar file name would have been tab autocompleted so the command would probably be simpler to type), but then I would not get the other checks makepkg provides.
Note that this patch does not make --skipinteg the default. In fact, given how long the options is, it is very unlikely that a user could every accidentally type it! There is no difference in behaviour to the current "makepkg --source" unless the user specifically requests it. The patch just makes --skipinteg do what its name says; skip integrity checks.
Well after reading most of this you may have won me over. Maybe I can get just one small concession- when you use both of these options together (or --allsource I believe it is), we print one more warning saying "this source package is not guaranteed to work for anyone else!" or something along those lines.
I have pushed a more strongly worded message into my working branch. I am sure the message could be improved. Allan