[arch-general] Severity of Failed checksum for PKGBUILD

Mark Lee mark at markelee.com
Fri Feb 20 14:03:07 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/20/2015 03:27 AM, Daniel Micay wrote:
> On 19/02/15 11:39 PM, Mark Lee wrote:
>> On 02/19/2015 05:46 PM, Mark Lee wrote:
>>> On 02/19/2015 05:24 PM, Lukas Jirkovsky wrote:
>>>> On 19 February 2015 at 21:42, Doug Newgard
>>>> <scimmia at archlinux.info> wrote:
>>>>> You can't. If upstream provides a checksum, that gives you
>>>>> some verification, but since github doesn't, there's no way
>>>>> to verify any of it.
>>>> 
>>>> I don't know about github, but with bitbucket the checksums
>>>> of these generated tarballs may change occasionally as I had
>>>> this issue with luxrender. However, the sources were always
>>>> the same, it was the metadata that changed.
>>>> 
>>> 
>>> How important are checksums to PKGBUILDS then? Should sources
>>> with varying checksums just have 'SKIP' in their integrity
>>> arrays?
>>> 
>>> Regards, Mark
>>> 
>> 
>> Furthermore, if the integrity check is different from upstream,
>> is a packager obligated to host a copy of the source code for
>> GPLed software?
>> 
>> Regards, Mark
> 
> No... the integrity check not matching is not because an
> out-of-tree source tree was used. The checksums are certainly not
> there to improve security, that's what GPG signatures are for.
> 

The checksums are there for integrity. The GPG signatures only confirm
the packager built the package. My question is if a packager's
PKGBUILD fails a checksum and the license is GPL, how does the
packager fullfill their requirement to provide the source code? How
does the packager prove that the source was used to build the
binaries, especially when there are hash collisions in md5? The
packager seems to offset the source code necessities by grabbing the
source from upstream, but the checksums don't match...

I understand that the metadata changed which changed the checksum, but
that doesn't really change the question of what to do with source code
versioning systems that have changing checksums and the need to supply
source code for GPL projects.

Regards,
Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EAREIAAYFAlTnPpgACgkQZ/Z80n6+J/bmMwD7Brg4pcLE6Cewagug1pEIrb5X
ZPzsu5wZcm+wEwXFF+YA/R0zlmnr7HApAY/4fCyXGa7/myvFw5KBmAJkf7UdtBpt
=eFui
-----END PGP SIGNATURE-----

More information about the arch-general mailing list