[arch-dev-public] git packages and checksums
Gaetan Bisson
bisson at archlinux.org
Sat Jul 18 20:04:28 UTC 2015
Hi,
As more of our official packages use git sources, I'd like to suggest we
always enforce some kind of checksum verification. More specifically,
I'd like us to avoid using straightforward source arrays such as:
source=("git://github.com/systemd/systemd.git#tag=v$pkgver")
md5sums=('SKIP')
Instead I suggest we use the full commit hash. In the example above,
that'd become something like:
_commit=9a50ce20ef60263a6c88c29470ce761fcc424f2d
source=("git://github.com/systemd/systemd.git#commit=$_commit")
md5sums=('SKIP')
Does that sound like a good idea?
--
Gaetan
More information about the arch-dev-public
mailing list