[aur-general] About the vuescan-bin package updating problm

[Eli Schwartz]

On 5/29/21 7:00 AM, Carsten Haitzler via aur-general wrote:
> Maybe just treat this similar to aur -git builds - the upstream can't be
> checksummed (sensibly) and thus are skipped. As with all AUR things - user
> beware and you are already told to check the PKGBUILD for anything suspicious
> and it's why AUR helpers are generally discouraged. If you use this AUR you
> take on the responsibility and risks that removing the shasums creates.

The checksums are less about security and more about detecting things
like truncated downloads, server error pages that deliver "oops, page
not found" HTML content with a 200 OK response code, or captive portals
that deliver "please login to this wireless network" using, again, 200
OK response codes.

git builds have the advantage that the git protocol is internally able
to verify that the response is a) git repos, b) didn't get corrupted by
network errors, which is why they don't need or have the capability to
provide checksums.

Moreover, if you did remove the checksums, you'd still have people using
$SRCDEST to save repeated downloads and getting the wrong cached content
instead of the updated version, so they'd see nothing available to
update, or repackage old versions with a new version number. And
pkgver() functions are not a solution as pkgver() runs after the sources
are downloaded and cannot be used to update the values in the source=()
array.

-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20210529/5954a3a0/attachment.sig>