[pacman-dev] makepkg integrity check patches
allan at archlinux.org
Thu May 6 02:51:43 CEST 2010
Here is some justification for the patches on my working branch related
to integrity checking. Put in order from least controversial to most...
1) cd3910b makepkg -g: use checksums defined in the pkgbuild
This is Xavier's patch. I am not sure there was ever issues with this
one, but I think it got caught up with the other patches. This patch
just makes it easier to maintain checksums in a PKGBUILD other than the
default in makepkg.conf. e.g. if I have sha1sums in the PKGBUILD,
"makepkg -g" will generate sha1sums even if generating md5sums is the
default. To generate md5sums only, you just need to remove the old
checksums from the PKGBUILD or add an empty md5sum array to the PKGBUILD.
2) cd1378d makepkg: rework --skipinteg
This is very, very, VERY useful. I did not have makepkg-git on my new
computer earlier this week and the current makepkg behaviour annoyed me
> /usr/bin/makepkg --skipinteg
==> Validating source files with md5sums...
abs-18.104.22.168.tar.gz ... FAILED
==> ERROR: One or more files did not pass the validity check!
> makepkg --skipinteg
==> WARNING: Skipping integrity checks.
==> Extracting Sources...
This is particularly useful when testing out a patch that you need to
repeatedly modify. You only need to update your checksums once it is
working. I use this very frequently, but then again I do more packaging
3) 5d911ae makepkg: allow skipping integrity checks when making source
And here is the fun one... "makepkg --source" currently requires
checking all checksums. Using "-source --skipinteg" does not skip this,
which in itself makes little sense to me. The argument that this stops
people distributing packages with bad checksums is flawed. There is
nothing stopping them doing that now. They just have to not use makepkg
when creating the tarball, which could lead to even worse PKGBUILDs
being distributed as none of makepkg's other checks would be performed.
Admittedly, this patch will see little use. I used to use it in
combination with #2 when checking that a modified patch compiled on both
my i686 and x86_64 machines. Now that I build both architectures on one
machine, this is of less use to me. I have also used it when commenting
on a PKGBUILD that was sent to me with a query about the best way to
implement something. There I modified some of the build() function to
be clearer and sent it to the author saying I would use this approach
but it is not tested. Note I could have used tar manually (in fact the
tar file name would have been tab autocompleted so the command would
probably be simpler to type), but then I would not get the other checks
Note that this patch does not make --skipinteg the default. In fact,
given how long the options is, it is very unlikely that a user could
every accidentally type it! There is no difference in behaviour to the
current "makepkg --source" unless the user specifically requests it. The
patch just makes --skipinteg do what its name says; skip integrity checks.
More information about the pacman-dev