[pacman-dev] [PATCH] makepkg: rework --skip-integ

Allan McRae allan at archlinux.org
Fri Oct 30 08:21:07 EDT 2009 

Loui Chang wrote:
> On Fri 30 Oct 2009 15:29 +1000, Allan McRae wrote:
>   
>> Loui Chang wrote:
>>     
>>> On Thu 29 Oct 2009 14:40 +1000, Allan McRae wrote:
>>>       
>>>> Jeff wrote:
>>>>         
>>>>>> Patch [1] extends the --skipinteg option allow the generation of
>>>>>> a source tarball without requiring the checking of the integrity
>>>>>> checks
>>>>>>             
>>>>> You've given the what, but what is the why? If the source integrity is
>>>>> flawed, then the generated source package is flawed. This seems like
>>>>> something that should be safeguarded against, IMO.
>>>>>           
>>>> I can come up with two use cases:
>>>>
>>>> 1) making a PKGBUILD for a snapshot release that is always accessible
>>>>         
>>> >from some sort of LATEST release directory symlink.  Many projects
>>>       
>>>> use something like that.  That way the PKGBUILD does not need updated
>>>> every time a snapshot is release.  While it may be argued that it is
>>>> better to use a svn/cvs/git/etc PKGBUILD, in many cases the snapshots
>>>> are generally sanity checked before release.
>>>>         
>>>> 2) This happens to me occasionally.  Someone sends me a PKGBUILD they
>>>> can not get working.  I see an obvious error, fix it and send the
>>>> PKGBUILD back saying "try this" because I really do not want to
>>>> download the sources/dependencies to check myself.
>>>>         
>>> In both cases if you could omit checksums and makepkg could interpret
>>> that as "the packager doesn't really care about integrity, skip checks".
>>>       
>> In case 2, why would I delete the checksums that are correct and
>> supplied just because I do not want to download the source to check
>> them?
>>     
>
> How do you know they are correct if you haven't checked them?
>   

Please read case two again.  I can assume they are correct given they 
were provided to me and I do not want to download the sources to get 
them.  I have this happen to me around once every week or two which is 
one of the reason I was motivated to write this patch.

>>> It could print a warning, and you don't need another fancy flag.
>>>       
>> Note it is not another fancy flag. It is a reuse of an already
>>     
>
> Sorry. I guess the man page needs updating. Looks like it's pretty new.
>   

Nope...
man makepkg:
       --skipinteg
           Do not fail when the PKGBUILD does not contain any integrity
           checks, just print a warning instead.

>> implemented flag.   And that suggestion would mean that instead of
>> the current error on no integrity checks, makepkg would instead just
>> print a warning (which is as good as being silent early in the build
>> process).  My patch, keeps that error and the user has to go out of
>> their way to use --skipinteg.  You would not type this unless you had
>> a reason, so in the vast, vast majority of cases, the integrity
>> checks will be performed.
>>     
>
> If you're just someone who's building (not the packager) and you're
> adding checksums to the PKGBUILD afterwards, you don't really know
> whether the source is valid or not. It's a waste of time, and a false
> sense of integrity to add them afterwards, and then have to use
> --skipinteg.
>   

What is your point here? I never said anything about adding checksums 
afterwards.  And why would you use --skipinteg after adding checksums?  
I am entirely lost...    Also, I see no way that not shipping checksums 
in a PKGBUILD would give a false sense of security.  You would need to 
use the --skipinteg flag to build the package, which would seem to flag 
insecure to me.

As an aside, I find it plausible that the majority of checksums in 
PKGBUILDs are put there by the use of "makepkg -g" so they are 
essentially useless anyway.

Allan

More information about the pacman-dev mailing list