[arch-dev-public] git packages and checksums

Anatol Pomozov anatol.pomozov at gmail.com
Tue Jul 21 00:04:11 UTC 2015


Hi

On Sat, Jul 18, 2015 at 4:10 PM, Gaetan Bisson <bisson at archlinux.org> wrote:
> [2015-07-18 15:13:43 -0700] Anatol Pomozov:
>> On Sat, Jul 18, 2015 at 1:04 PM, Gaetan Bisson <bisson at archlinux.org> wrote:
>> > Instead I suggest we use the full commit hash. In the example above,
>> > that'd become something like:
>> >
>> >         _commit=9a50ce20ef60263a6c88c29470ce761fcc424f2d
>> >         source=("git://github.com/systemd/systemd.git#commit=$_commit")
>> >         md5sums=('SKIP')
>>
>> Would it be better to improve *sums=() function to work with
>> directories? This will also help svn/hg based packages.
>>
>> A simple solution is to tar whole directory and then calculate the checksum:
>>
>> tar -c $DIR | md5sum
>
> This involves file attributes, so it seems the md5sum would change any
> time you do a new `git clone` even if no actual content has changed.

tar has options to control file attributes added to the archive. For
your case this will be '--mtime=0'. Instead of tar it is possible to
use something like hashdeep [1] or just plain 'find' + {md5,sha1}sums.

The point is that we already have a way to describe checksums for
sources. It would be great to extend it to cases like VCS based
releases (git, svn, hg, ...).

[1] https://github.com/jessek/hashdeep/

>
> Also I think the commit hash is an intrinsically better value because it
> is explicitly published by upstream. Just as checksums are (or should
> be) published next to release tarballs.
>
> Cheers.
>
> --
> Gaetan


More information about the arch-dev-public mailing list