[arch-general] Severity of Failed checksum for PKGBUILD
Doug Newgard
scimmia at archlinux.info
Thu Feb 19 20:28:44 UTC 2015
On Thu, 19 Feb 2015 15:15:42 -0500
Mark Lee <mark at markelee.com> wrote:
> Salutations,
>
> After trying to build the mpv-0.8.0-1 and finding that the PKGBUILD's
> checksum was incorrect, I filed a bug report. See
> <https://bugs.archlinux.org/task/43882?project=5&cat%5B0%5D=33&string=mpv>.
>
> I filed it under "critical" since an incorrect checksum means that the
> package was built from source that doesn't match upstream's source. I
> was told it's not a critical issue and it was downgraded to medium. I'm
> wondering why incorrect checksums aren't considered "critical".
>
> Regards,
> Mark
The checksum matched when the package was built or it wouldn't have built for
the maintainer, either. This means it's not a security issue, the only way it
could be considered critical. All it means is that upstream changed something,
only really affecting people trying to build from the PKGBUILDs. Normally, I
would make this low severity, as it really doesn't matter that much.
Doug
More information about the arch-general
mailing list