[arch-commits] Commit in pacman/trunk (PKGBUILD makepkg.conf)

Levente Polyak anthraxx at archlinux.org
Thu May 20 19:44:20 UTC 2021 

    Date: Thursday, May 20, 2021 @ 19:44:19
  Author: anthraxx
Revision: 415800

upgpkg: pacman 6.0.0-2: switch default integrity to sha256

The upstream makepkg.conf is a pure example and expected to be
downstream opinionated. Lets take the opportunity with pacman 6.0.0
to introduce an opinionated default integrity.

The integrity by itself is not meant to be a security property but a
pure transfer check. However in our downstream the integrity can have
some limited gain (compared to nothing) for users that properly care when
those integrity values differ. This is specifically the case in highly
distributed rebuild environments like the AUR by applying the concept of
TOFU (trust on first use) -- which by default is also applied to SSH
host verification checks and serves a good purpose when handled
appropriately. Lets aid the usage of TOFU by providing a stronger
default in our downstream and give users the opportunity to easily
detect in transit modifications of packages whose packagers just
generated default integrity values.

Modified:
  pacman/trunk/PKGBUILD
  pacman/trunk/makepkg.conf

--------------+
 PKGBUILD     |    4 ++--
 makepkg.conf |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2021-05-20 18:49:49 UTC (rev 415799)
+++ PKGBUILD	2021-05-20 19:44:19 UTC (rev 415800)
@@ -3,7 +3,7 @@
 
 pkgname=pacman
 pkgver=6.0.0
-pkgrel=1
+pkgrel=2
 pkgdesc="A library-based package manager with dependency support"
 arch=('x86_64')
 url="https://www.archlinux.org/pacman/"
@@ -26,7 +26,7 @@
 sha256sums=('004448085a7747bdc7a0a4dd5d1fb7556c6b890111a06e029ab088f9905d4808'
             'SKIP'
             '606e55f06c297d2b508bc4438890b229a1abaa68b0374a2d7f94c8e7be6792d7'
-            'd46eb9341d9f02ead0dfa7583f127f3d8d5075af726c8570f6ae9a3ebf633ec7')
+            '89d1dd7e7064243754efc1993a8843a400afd5d7c15070787985376ec346d6d9')
 
 build() {
   cd "$pkgname-$pkgver"

Modified: makepkg.conf
===================================================================
--- makepkg.conf	2021-05-20 18:49:49 UTC (rev 415799)
+++ makepkg.conf	2021-05-20 19:44:19 UTC (rev 415800)
@@ -94,7 +94,7 @@
 OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !debug !lto)
 
 #-- File integrity checks to use. Valid: md5, sha1, sha224, sha256, sha384, sha512, b2
-INTEGRITY_CHECK=(ck)
+INTEGRITY_CHECK=(sha256)
 #-- Options to be used when stripping binaries. See `man strip' for details.
 STRIP_BINARIES="--strip-all"
 #-- Options to be used when stripping shared libraries. See `man strip' for details.

More information about the arch-commits mailing list