[pacman-dev] [PATCH] makepkg: rework --skip-integ
Allan McRae
allan at archlinux.org
Sat Nov 7 09:38:44 EST 2009
Loui Chang wrote:
> On Fri 30 Oct 2009 22:21 +1000, Allan McRae wrote:
>> Loui Chang wrote:
>>> On Fri 30 Oct 2009 15:29 +1000, Allan McRae wrote:
>>>> Loui Chang wrote:
>>>>> On Thu 29 Oct 2009 14:40 +1000, Allan McRae wrote:
>>>>>> Jeff wrote:
>>>>>>>> Patch [1] extends the --skipinteg option allow the generation of
>>>>>>>> a source tarball without requiring the checking of the integrity
>>>>>>>> checks
>>>>>>> You've given the what, but what is the why? If the source integrity is
>>>>>>> flawed, then the generated source package is flawed. This seems like
>>>>>>> something that should be safeguarded against, IMO.
>>>>>> I can come up with two use cases:
>>>>>>
>>>>>> 1) making a PKGBUILD for a snapshot release that is always accessible
>>>>> >from some sort of LATEST release directory symlink. Many projects
>>>>>> use something like that. That way the PKGBUILD does not need updated
>>>>>> every time a snapshot is release. While it may be argued that it is
>>>>>> better to use a svn/cvs/git/etc PKGBUILD, in many cases the snapshots
>>>>>> are generally sanity checked before release.
>>>>>> 2) This happens to me occasionally. Someone sends me a PKGBUILD they
>>>>>> can not get working. I see an obvious error, fix it and send the
>>>>>> PKGBUILD back saying "try this" because I really do not want to
>>>>>> download the sources/dependencies to check myself.
>>>>> In both cases if you could omit checksums and makepkg could interpret
>>>>> that as "the packager doesn't really care about integrity, skip checks".
>>>> In case 2, why would I delete the checksums that are correct and
>>>> supplied just because I do not want to download the source to check
>>>> them?
>>> How do you know they are correct if you haven't checked them?
>> Please read case two again. I can assume they are correct given they
>> were provided to me and I do not want to download the sources to get
>> them. I have this happen to me around once every week or two which
>> is one of the reason I was motivated to write this patch.
>
> You can assume sure, but you can't know. It could be a reason behind
> your user's problems. The only true way to maintain integrity is to do
> the checks.
>
> You can look at it this way: with makepkg you are making a 'source
> package' so you want to maintain integrity. If you just want to send
> people a bunch o files, tar is a more suitable tool.
>
>>>>> It could print a warning, and you don't need another fancy flag.
>>>> Note it is not another fancy flag. It is a reuse of an already
>>> Sorry. I guess the man page needs updating. Looks like it's pretty new.
>> Nope...
>> man makepkg:
>> --skipinteg
>> Do not fail when the PKGBUILD does not contain any integrity
>> checks, just print a warning instead.
>
> Aha. Thanks, I see it.
>
>>>> implemented flag. And that suggestion would mean that instead of
>>>> the current error on no integrity checks, makepkg would instead just
>>>> print a warning (which is as good as being silent early in the build
>>>> process). My patch, keeps that error and the user has to go out of
>>>> their way to use --skipinteg. You would not type this unless you had
>>>> a reason, so in the vast, vast majority of cases, the integrity
>>>> checks will be performed.
>>> If you're just someone who's building (not the packager) and you're
>>> adding checksums to the PKGBUILD afterwards, you don't really know
>>> whether the source is valid or not. It's a waste of time, and a false
>>> sense of integrity to add them afterwards, and then have to use
>>> --skipinteg.
>> What is your point here? I never said anything about adding checksums
>> afterwards. And why would you use --skipinteg after adding
>> checksums? I am entirely lost... Also, I see no way that not
>> shipping checksums in a PKGBUILD would give a false sense of
>> security. You would need to use the --skipinteg flag to build the
>> package, which would seem to flag insecure to me.
>
> You might add checksums to not have to use --skipinteg, but integrity
> actually wouldn't be insured in that case.
> You might use --skipinteg after adding checksums if your sources
> snapshot changed.
>
> You have a point that needing --skipinteg makes the user aware of
> insecure/invalid sources, but that only applies when building binaries for
> yourself. Checksums should always be enforced when distributing binaries
> to others. So my suggestion of skipping checks if checksums are missing
> was flawed. Checks should always be enforced.
>
> The --skipinteg flag just seems like a workaround for the lazy.
>
I just want to point out that I have run into yet another situation
where --skipinteg when generating a source package would be useful. I
am moving some packages from the Arch repos to the AUR. The md5sums are
obviously correct but I am forced to download the sources. (Well, I am
not as my makepkg is patched... but you get my point).
This is the only case I can think of in makepkg/pacman where we force a
user to do something the "correct" way. For every other check I can
think of, there is a flag to stop it being performed.
Allan
More information about the pacman-dev
mailing list