[pacman-dev] [PATCH 1/2] libmakepkg: migrate to schema.sh for integsums
We cannot use most of the arrays defined there as srcinfo is dependent on the order, but migrate the hashes for now. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- scripts/libmakepkg/srcinfo.sh.in | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/libmakepkg/srcinfo.sh.in b/scripts/libmakepkg/srcinfo.sh.in index 509c4860..b9eeb817 100644 --- a/scripts/libmakepkg/srcinfo.sh.in +++ b/scripts/libmakepkg/srcinfo.sh.in @@ -24,6 +24,7 @@ LIBMAKEPKG_SRCINFO_SH=1 LIBRARY=${LIBRARY:-'@libmakepkgdir@'} source "$LIBRARY/util/pkgbuild.sh" +source "$LIBRARY/util/schema.sh" srcinfo_open_section() { printf '%s = %s\n' "$1" "$2" @@ -63,7 +64,7 @@ srcinfo_write_section_details() { local attr package_arch a local multivalued_arch_attrs=(source provides conflicts depends replaces optdepends makedepends checkdepends - {md5,sha{1,224,256,384,512}}sums) + "${known_hash_algos[@]/%/sums}") for attr in "${singlevalued[@]}"; do pkgbuild_extract_to_srcinfo "$1" "$attr" 0 -- 2.20.1
coreutils 8.26 in December 2016 added this new hashing method which is compatible with the existing md5sum and sha*sum tool usage, while using the blake2 hash algorithm. makepkg uses coreutils to provide source file integrity checks via ${integ}sum binaries and it makes sense to offer this as an additional option. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- doc/PKGBUILD.5.asciidoc | 2 +- doc/makepkg.conf.5.asciidoc | 2 +- etc/makepkg.conf.in | 2 +- scripts/libmakepkg/util/schema.sh.in | 2 +- scripts/makepkg.sh.in | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/PKGBUILD.5.asciidoc b/doc/PKGBUILD.5.asciidoc index 32668adc..e8ce691f 100644 --- a/doc/PKGBUILD.5.asciidoc +++ b/doc/PKGBUILD.5.asciidoc @@ -154,7 +154,7 @@ contain whitespace characters. be skipped. To easily generate md5sums, run ``makepkg -g >> PKGBUILD''. If desired, move the md5sums line to an appropriate location. -*sha1sums, sha224sums, sha256sums, sha384sums, sha512sums (arrays)*:: +*sha1sums, sha224sums, sha256sums, sha384sums, sha512sums, b2sums (arrays)*:: Alternative integrity checks that makepkg supports; these all behave similar to the md5sums option described above. To enable use and generation of these checksums, be sure to set up the `INTEGRITY_CHECK` option in diff --git a/doc/makepkg.conf.5.asciidoc b/doc/makepkg.conf.5.asciidoc index 6334db05..34810f51 100644 --- a/doc/makepkg.conf.5.asciidoc +++ b/doc/makepkg.conf.5.asciidoc @@ -183,7 +183,7 @@ Options **INTEGRITY_CHECK=(**check1 ...**)**:: File integrity checks to use. Multiple checks may be specified; this affects both generation and checking. The current valid options are: - `md5`, `sha1`, `sha224`, `sha256`, `sha384`, and `sha512`. + `md5`, `sha1`, `sha224`, `sha256`, `sha384`, `sha512`, and `b2`. **STRIP_BINARIES=**"--strip-all":: Options to be used when stripping binaries. See linkman:strip[1] diff --git a/etc/makepkg.conf.in b/etc/makepkg.conf.in index 4d5cf4ea..f914684f 100644 --- a/etc/makepkg.conf.in +++ b/etc/makepkg.conf.in @@ -87,7 +87,7 @@ BUILDENV=(!distcc color !ccache check !sign) # OPTIONS=(strip docs libtool staticlibs emptydirs zipman purge !debug) -#-- File integrity checks to use. Valid: md5, sha1, sha224, sha256, sha384, sha512 +#-- File integrity checks to use. Valid: md5, sha1, sha224, sha256, sha384, sha512, b2 INTEGRITY_CHECK=(md5) #-- Options to be used when stripping binaries. See `man strip' for details. STRIP_BINARIES="@STRIP_BINARIES@" diff --git a/scripts/libmakepkg/util/schema.sh.in b/scripts/libmakepkg/util/schema.sh.in index 38f034e0..a611d221 100644 --- a/scripts/libmakepkg/util/schema.sh.in +++ b/scripts/libmakepkg/util/schema.sh.in @@ -26,7 +26,7 @@ LIBRARY=${LIBRARY:-'@libmakepkgdir@'} source "$LIBRARY/util/util.sh" -known_hash_algos=({md5,sha{1,224,256,384,512}}) +known_hash_algos=({md5,sha{1,224,256,384,512},b2}) pkgbuild_schema_arrays=(arch backup checkdepends conflicts depends groups license makedepends noextract optdepends options diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 5606f65b..fd8ec8eb 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1210,7 +1210,7 @@ unset sha{1,224,256,384,512}sums makedepends optdepends options noextract validp unset "${!makedepends_@}" "${!depends_@}" "${!source_@}" "${!checkdepends_@}" unset "${!optdepends_@}" "${!conflicts_@}" "${!provides_@}" "${!replaces_@}" unset "${!md5sums_@}" "${!sha1sums_@}" "${!sha224sums_@}" "${!sha256sums_@}" -unset "${!sha384sums_@}" "${!sha512sums_@}" +unset "${!sha384sums_@}" "${!sha512sums_@}" "${!b2sums_@}" BUILDFILE=${BUILDFILE:-$BUILDSCRIPT} if [[ ! -f $BUILDFILE ]]; then @@ -1340,7 +1340,7 @@ if (( INFAKEROOT )); then else run_split_packaging fi - + create_debug_package msg "$(gettext "Leaving %s environment.")" "fakeroot" -- 2.20.1
On 16/2/19 2:38 am, Eli Schwartz wrote:
We cannot use most of the arrays defined there as srcinfo is dependent on the order, but migrate the hashes for now.
That took me a long time to parse... I'll clarify "there" is in schema.sh. A
On 16/2/19 2:38 am, Eli Schwartz wrote:
coreutils 8.26 in December 2016 added this new hashing method which is compatible with the existing md5sum and sha*sum tool usage, while using the blake2 hash algorithm.
makepkg uses coreutils to provide source file integrity checks via ${integ}sum binaries and it makes sense to offer this as an additional option.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> ---
Is there many open-source projects providing b2 checksums for their source files? My opinion with checksums remains that they are only as good as the source you download them from. If you have to generate them locally, they are already far from idea. This is why md5sum will remain the default in pacman (unless we implement crc32...). A
On 2/20/19 11:30 PM, Allan McRae wrote:
On 16/2/19 2:38 am, Eli Schwartz wrote:
coreutils 8.26 in December 2016 added this new hashing method which is compatible with the existing md5sum and sha*sum tool usage, while using the blake2 hash algorithm.
makepkg uses coreutils to provide source file integrity checks via ${integ}sum binaries and it makes sense to offer this as an additional option.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> ---
Is there many open-source projects providing b2 checksums for their source files?
I haven't done much investigation, since I'd like makepkg to support it either way, and, supporting it in makepkg can only be beneficial if trying to convince upstreams to add them. (This is independent of the fact that some aspects of the community, myself included, believe in the value of Trust-On-First-Use for packaging purposes, and/or would use b2sum if available, when releasing our own software.) However, I do know of at least one case where upstream provides b2sum. For some background context: the Gentoo distribution has (as of November 2017) standardized on BLAKE2B plus SHA512 for verifying package sources, and all new commits to their ebuild repository require both of these. Gentoo is also the upstream for some projects, the one I am thinking of specifically is [community]/pax-utils. It is therefore possible to grab sha512sums=(...) b2sums=(...) from the Gentoo ebuild, and additionally verify these using the PGP signature upon the commit which added the ebuild and the source manifest for that version of pax-utils. Note that the Gentoo package maintainer and the lead developer are the same person. So, implementing b2sum support in makepkg would mean that our pax-utils packager could add upstream b2sum hashes as soon as the next version of pacman is released.
My opinion with checksums remains that they are only as good as the source you download them from. If you have to generate them locally, they are already far from idea. This is why md5sum will remain the default in pacman (unless we implement crc32...).
Didn't we conclude that crc32 is not even especially good at detecting accidental errors? I think md5 is still a reasonable baseline here. :) -- Eli Schwartz Bug Wrangler and Trusted User
On 16/2/19 2:38 am, Eli Schwartz wrote:
coreutils 8.26 in December 2016 added this new hashing method which is compatible with the existing md5sum and sha*sum tool usage, while using the blake2 hash algorithm.
makepkg uses coreutils to provide source file integrity checks via ${integ}sum binaries and it makes sense to offer this as an additional option.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Applying. Note there is an unrelated change at the end to fix whitespace that I have removed from this patch.
--- doc/PKGBUILD.5.asciidoc | 2 +- doc/makepkg.conf.5.asciidoc | 2 +- etc/makepkg.conf.in | 2 +- scripts/libmakepkg/util/schema.sh.in | 2 +- scripts/makepkg.sh.in | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/doc/PKGBUILD.5.asciidoc b/doc/PKGBUILD.5.asciidoc index 32668adc..e8ce691f 100644 --- a/doc/PKGBUILD.5.asciidoc +++ b/doc/PKGBUILD.5.asciidoc @@ -154,7 +154,7 @@ contain whitespace characters. be skipped. To easily generate md5sums, run ``makepkg -g >> PKGBUILD''. If desired, move the md5sums line to an appropriate location.
-*sha1sums, sha224sums, sha256sums, sha384sums, sha512sums (arrays)*:: +*sha1sums, sha224sums, sha256sums, sha384sums, sha512sums, b2sums (arrays)*:: Alternative integrity checks that makepkg supports; these all behave similar to the md5sums option described above. To enable use and generation of these checksums, be sure to set up the `INTEGRITY_CHECK` option in diff --git a/doc/makepkg.conf.5.asciidoc b/doc/makepkg.conf.5.asciidoc index 6334db05..34810f51 100644 --- a/doc/makepkg.conf.5.asciidoc +++ b/doc/makepkg.conf.5.asciidoc @@ -183,7 +183,7 @@ Options **INTEGRITY_CHECK=(**check1 ...**)**:: File integrity checks to use. Multiple checks may be specified; this affects both generation and checking. The current valid options are: - `md5`, `sha1`, `sha224`, `sha256`, `sha384`, and `sha512`. + `md5`, `sha1`, `sha224`, `sha256`, `sha384`, `sha512`, and `b2`.
**STRIP_BINARIES=**"--strip-all":: Options to be used when stripping binaries. See linkman:strip[1] diff --git a/etc/makepkg.conf.in b/etc/makepkg.conf.in index 4d5cf4ea..f914684f 100644 --- a/etc/makepkg.conf.in +++ b/etc/makepkg.conf.in @@ -87,7 +87,7 @@ BUILDENV=(!distcc color !ccache check !sign) # OPTIONS=(strip docs libtool staticlibs emptydirs zipman purge !debug)
-#-- File integrity checks to use. Valid: md5, sha1, sha224, sha256, sha384, sha512 +#-- File integrity checks to use. Valid: md5, sha1, sha224, sha256, sha384, sha512, b2 INTEGRITY_CHECK=(md5) #-- Options to be used when stripping binaries. See `man strip' for details. STRIP_BINARIES="@STRIP_BINARIES@" diff --git a/scripts/libmakepkg/util/schema.sh.in b/scripts/libmakepkg/util/schema.sh.in index 38f034e0..a611d221 100644 --- a/scripts/libmakepkg/util/schema.sh.in +++ b/scripts/libmakepkg/util/schema.sh.in @@ -26,7 +26,7 @@ LIBRARY=${LIBRARY:-'@libmakepkgdir@'} source "$LIBRARY/util/util.sh"
-known_hash_algos=({md5,sha{1,224,256,384,512}}) +known_hash_algos=({md5,sha{1,224,256,384,512},b2})
pkgbuild_schema_arrays=(arch backup checkdepends conflicts depends groups license makedepends noextract optdepends options diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 5606f65b..fd8ec8eb 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1210,7 +1210,7 @@ unset sha{1,224,256,384,512}sums makedepends optdepends options noextract validp unset "${!makedepends_@}" "${!depends_@}" "${!source_@}" "${!checkdepends_@}" unset "${!optdepends_@}" "${!conflicts_@}" "${!provides_@}" "${!replaces_@}" unset "${!md5sums_@}" "${!sha1sums_@}" "${!sha224sums_@}" "${!sha256sums_@}" -unset "${!sha384sums_@}" "${!sha512sums_@}" +unset "${!sha384sums_@}" "${!sha512sums_@}" "${!b2sums_@}"
BUILDFILE=${BUILDFILE:-$BUILDSCRIPT} if [[ ! -f $BUILDFILE ]]; then @@ -1340,7 +1340,7 @@ if (( INFAKEROOT )); then else run_split_packaging fi - + create_debug_package
msg "$(gettext "Leaving %s environment.")" "fakeroot"
participants (2)
-
Allan McRae
-
Eli Schwartz