[aur-general] Support for remote sums in PKGBUILDs
Doug Newgard
scimmia22 at outlook.com
Mon Oct 21 22:13:45 EDT 2013
----------------------------------------
> From: adys.wh at gmail.com
> Date: Tue, 22 Oct 2013 01:56:16 +0100
> To: aur-general at archlinux.org
> Subject: [aur-general] Support for remote sums in PKGBUILDs
>
> Breaking away from an IRC convo from this morning; has support for
> remote sums been considered for pacman?
> It's currently possible to do this for .sig files (through the source
> array), but not available for simple sha/md5 hashes. This would let
> packagers do something like:
> source=("http://example.com/downloads/$pkgname-$pkgver.tar.xz")
> sha1sums=("http://example.com/downloads/$pkgname-$pkgver.tar.xz.sha1")
>
> (Of course, only for servers that generate a programmatically
> discoverable hash of some sort; but it's not actually uncommon)
>
> J. Leclanche
Couldn't you just do:
sha1sums=("$(curl http://example.com/downloads/$pkgname-$pkgver.tar.xz.sha1)")
It kind of defeats the purpose, though. If the server is hacked or someone does a MitM, they can easily replace the checksum file as well.
More information about the aur-general
mailing list