[arch-general] Severity of Failed checksum for PKGBUILD
Mark Lee
mark at markelee.com
Fri Feb 20 04:39:15 UTC 2015
On 02/19/2015 05:46 PM, Mark Lee wrote:
> On 02/19/2015 05:24 PM, Lukas Jirkovsky wrote:
>> On 19 February 2015 at 21:42, Doug Newgard <scimmia at archlinux.info> wrote:
>>> You can't. If upstream provides a checksum, that gives you some verification,
>>> but since github doesn't, there's no way to verify any of it.
>>
>> I don't know about github, but with bitbucket the checksums of these
>> generated tarballs may change occasionally as I had this issue with
>> luxrender. However, the sources were always the same, it was the
>> metadata that changed.
>>
>
> How important are checksums to PKGBUILDS then? Should sources with
> varying checksums just have 'SKIP' in their integrity arrays?
>
> Regards,
> Mark
>
Furthermore, if the integrity check is different from upstream, is a
packager obligated to host a copy of the source code for GPLed software?
Regards,
Mark
More information about the arch-general
mailing list