[arch-dev-public] git packages and checksums

Gaetan Bisson bisson at archlinux.org
Sat Jul 18 23:10:29 UTC 2015


[2015-07-18 15:13:43 -0700] Anatol Pomozov:
> On Sat, Jul 18, 2015 at 1:04 PM, Gaetan Bisson <bisson at archlinux.org> wrote:
> > Instead I suggest we use the full commit hash. In the example above,
> > that'd become something like:
> >
> >         _commit=9a50ce20ef60263a6c88c29470ce761fcc424f2d
> >         source=("git://github.com/systemd/systemd.git#commit=$_commit")
> >         md5sums=('SKIP')
> 
> Would it be better to improve *sums=() function to work with
> directories? This will also help svn/hg based packages.
>
> A simple solution is to tar whole directory and then calculate the checksum:
> 
> tar -c $DIR | md5sum

This involves file attributes, so it seems the md5sum would change any
time you do a new `git clone` even if no actual content has changed.

Also I think the commit hash is an intrinsically better value because it
is explicitly published by upstream. Just as checksums are (or should
be) published next to release tarballs.

Cheers.

-- 
Gaetan


More information about the arch-dev-public mailing list