[pacman-dev] [PATCH] makepkg: rework --skip-integ

[Allan McRae]

Loui Chang wrote:
> On Fri 30 Oct 2009 22:21 +1000, Allan McRae wrote:
>> Loui Chang wrote:
>>> On Fri 30 Oct 2009 15:29 +1000, Allan McRae wrote:
>>>> Loui Chang wrote:
>>>>> On Thu 29 Oct 2009 14:40 +1000, Allan McRae wrote:
>>>>>> Jeff wrote:
>>>>>>>> Patch [1] extends the --skipinteg option allow the generation of
>>>>>>>> a source tarball without requiring the checking of the integrity
>>>>>>>> checks
>>>>>>> You've given the what, but what is the why? If the source integrity is
>>>>>>> flawed, then the generated source package is flawed. This seems like
>>>>>>> something that should be safeguarded against, IMO.
>>>>>> I can come up with two use cases:
>>>>>>
>>>>>> 1) making a PKGBUILD for a snapshot release that is always accessible
>>>>> >from some sort of LATEST release directory symlink.  Many projects
>>>>>> use something like that.  That way the PKGBUILD does not need updated
>>>>>> every time a snapshot is release.  While it may be argued that it is
>>>>>> better to use a svn/cvs/git/etc PKGBUILD, in many cases the snapshots
>>>>>> are generally sanity checked before release.
>>>>>> 2) This happens to me occasionally.  Someone sends me a PKGBUILD they
>>>>>> can not get working.  I see an obvious error, fix it and send the
>>>>>> PKGBUILD back saying "try this" because I really do not want to
>>>>>> download the sources/dependencies to check myself.
>>>>> In both cases if you could omit checksums and makepkg could interpret
>>>>> that as "the packager doesn't really care about integrity, skip checks".
>>>> In case 2, why would I delete the checksums that are correct and
>>>> supplied just because I do not want to download the source to check
>>>> them?
>>> How do you know they are correct if you haven't checked them?
>> Please read case two again.  I can assume they are correct given they
>> were provided to me and I do not want to download the sources to get
>> them.  I have this happen to me around once every week or two which
>> is one of the reason I was motivated to write this patch.
> 
> You can assume sure, but you can't know. It could be a reason behind
> your user's problems. The only true way to maintain integrity is to do
> the checks.
> 
> You can look at it this way: with makepkg you are making a 'source
> package' so you want to maintain integrity. If you just want to send
> people a bunch o files, tar is a more suitable tool.
> 
>>>>> It could print a warning, and you don't need another fancy flag.
>>>> Note it is not another fancy flag. It is a reuse of an already
>>> Sorry. I guess the man page needs updating. Looks like it's pretty new.
>> Nope...
>> man makepkg:
>>       --skipinteg
>>           Do not fail when the PKGBUILD does not contain any integrity
>>           checks, just print a warning instead.
> 
> Aha. Thanks, I see it.
> 
>>>> implemented flag.   And that suggestion would mean that instead of
>>>> the current error on no integrity checks, makepkg would instead just
>>>> print a warning (which is as good as being silent early in the build
>>>> process).  My patch, keeps that error and the user has to go out of
>>>> their way to use --skipinteg.  You would not type this unless you had
>>>> a reason, so in the vast, vast majority of cases, the integrity
>>>> checks will be performed.
>>> If you're just someone who's building (not the packager) and you're
>>> adding checksums to the PKGBUILD afterwards, you don't really know
>>> whether the source is valid or not. It's a waste of time, and a false
>>> sense of integrity to add them afterwards, and then have to use
>>> --skipinteg.
>> What is your point here? I never said anything about adding checksums
>> afterwards.  And why would you use --skipinteg after adding
>> checksums?  I am entirely lost...    Also, I see no way that not
>> shipping checksums in a PKGBUILD would give a false sense of
>> security.  You would need to use the --skipinteg flag to build the
>> package, which would seem to flag insecure to me.
> 
> You might add checksums to not have to use --skipinteg, but integrity
> actually wouldn't be insured in that case.
> You might use --skipinteg after adding checksums if your sources
> snapshot changed.
> 
> You have a point that needing --skipinteg makes the user aware of
> insecure/invalid sources, but that only applies when building binaries for
> yourself. Checksums should always be enforced when distributing binaries
> to others. So my suggestion of skipping checks if checksums are missing
> was flawed. Checks should always be enforced.
> 
> The --skipinteg flag just seems like a workaround for the lazy.
> 

I just want to point out that I have run into yet another situation 
where --skipinteg when generating a source package would be useful.  I 
am moving some packages from the Arch repos to the AUR.  The md5sums are 
obviously correct but I am forced to download the sources.  (Well, I am 
not as my makepkg is patched...  but you get my point).

This is the only case I can think of in makepkg/pacman where we force a 
user to do something the "correct" way.  For every other check I can 
think of, there is a flag to stop it being performed.

Allan