[arch-general] Severity of Failed checksum for PKGBUILD
Daniel Micay
danielmicay at gmail.com
Fri Feb 20 08:27:21 UTC 2015
On 19/02/15 11:39 PM, Mark Lee wrote:
> On 02/19/2015 05:46 PM, Mark Lee wrote:
>> On 02/19/2015 05:24 PM, Lukas Jirkovsky wrote:
>>> On 19 February 2015 at 21:42, Doug Newgard <scimmia at archlinux.info> wrote:
>>>> You can't. If upstream provides a checksum, that gives you some verification,
>>>> but since github doesn't, there's no way to verify any of it.
>>>
>>> I don't know about github, but with bitbucket the checksums of these
>>> generated tarballs may change occasionally as I had this issue with
>>> luxrender. However, the sources were always the same, it was the
>>> metadata that changed.
>>>
>>
>> How important are checksums to PKGBUILDS then? Should sources with
>> varying checksums just have 'SKIP' in their integrity arrays?
>>
>> Regards,
>> Mark
>>
>
> Furthermore, if the integrity check is different from upstream, is a
> packager obligated to host a copy of the source code for GPLed software?
>
> Regards,
> Mark
No... the integrity check not matching is not because an out-of-tree
source tree was used. The checksums are certainly not there to improve
security, that's what GPG signatures are for.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20150220/5ed72f16/attachment.asc>
More information about the arch-general
mailing list