[arch-dev-public] git packages and checksums
Anatol Pomozov
anatol.pomozov at gmail.com
Sat Jul 18 22:13:43 UTC 2015
Hi
On Sat, Jul 18, 2015 at 1:04 PM, Gaetan Bisson <bisson at archlinux.org> wrote:
> Hi,
>
> As more of our official packages use git sources, I'd like to suggest we
> always enforce some kind of checksum verification. More specifically,
> I'd like us to avoid using straightforward source arrays such as:
>
> source=("git://github.com/systemd/systemd.git#tag=v$pkgver")
> md5sums=('SKIP')
>
> Instead I suggest we use the full commit hash. In the example above,
> that'd become something like:
>
> _commit=9a50ce20ef60263a6c88c29470ce761fcc424f2d
> source=("git://github.com/systemd/systemd.git#commit=$_commit")
> md5sums=('SKIP')
Would it be better to improve *sums=() function to work with
directories? This will also help svn/hg based packages.
A simple solution is to tar whole directory and then calculate the checksum:
tar -c $DIR | md5sum
>
> Does that sound like a good idea?
>
> --
> Gaetan
More information about the arch-dev-public
mailing list