[aur-general] About the vuescan-bin package updating problm

Carsten Haitzler raster at rasterman.com
Sun May 30 09:41:44 UTC 2021

On Sat, 29 May 2021 22:25:45 -0400 Eli Schwartz via aur-general
<aur-general at lists.archlinux.org> said:

> On 5/29/21 7:00 AM, Carsten Haitzler via aur-general wrote:
> > Maybe just treat this similar to aur -git builds - the upstream can't be
> > checksummed (sensibly) and thus are skipped. As with all AUR things - user
> > beware and you are already told to check the PKGBUILD for anything
> > suspicious and it's why AUR helpers are generally discouraged. If you use
> > this AUR you take on the responsibility and risks that removing the shasums
> > creates.
> The checksums are less about security and more about detecting things
> like truncated downloads, server error pages that deliver "oops, page
> not found" HTML content with a 200 OK response code, or captive portals
> that deliver "please login to this wireless network" using, again, 200
> OK response codes.

But as it's an rpm - this will be found soon enough with a corrupted rpm (it's
not an rpm or partial). I'm sure you can find some rpm consistency checking is
able to detect this.

> git builds have the advantage that the git protocol is internally able
> to verify that the response is a) git repos, b) didn't get corrupted by
> network errors, which is why they don't need or have the capability to
> provide checksums.
> Moreover, if you did remove the checksums, you'd still have people using
> $SRCDEST to save repeated downloads and getting the wrong cached content
> instead of the updated version, so they'd see nothing available to
> update, or repackage old versions with a new version number. And
> pkgver() functions are not a solution as pkgver() runs after the sources
> are downloaded and cannot be used to update the values in the source=()
> array.

Extract it from the rpm... :) The PKGBUILD can also nuke any local files in the
build dr (i.e. src) that negates that form of caching at least. If an
intermediate proxy caches - then ... either way we have a failure. The pkg
doesn't update - stays the same version or shasum fails to build a package.
Either way - failure and user doesn't get an update. :)

If an upstream is actively trying to make things hard, we're going to have
issues no matter what.

------------- Codito, ergo sum - "I code, therefore I am" --------------
Carsten Haitzler - raster at rasterman.com

More information about the aur-general mailing list