[pacman-dev] makepkg integrity check patches

[Loui Chang]

On Thu 06 May 2010 10:51 +1000, Allan McRae wrote:
> 2) cd1378d makepkg: rework --skipinteg
> 
> This is very, very, VERY useful.  I did not have makepkg-git on my
> new computer earlier this week and the current makepkg behaviour
> annoyed me A LOT.
>
> This is particularly useful when testing out a patch that you need to
> repeatedly modify.  You only need to update your checksums once it is
> working.  I use this very frequently, but then again I do more
> packaging than most.

I believe this is bad behaviour. makepkg should be used to package
software, not help you develop patches for it.

> 3) 5d911ae makepkg: allow skipping integrity checks when making
> source package

> And here is the fun one... "makepkg --source" currently requires
> checking all checksums.  Using "-source --skipinteg" does not skip
> this, which in itself makes little sense to me.  The argument that
> this stops people distributing packages with bad checksums is flawed.
> There is nothing stopping them doing that now.  They just have to not
> use makepkg when creating the tarball, which could lead to even worse
> PKGBUILDs being distributed as none of makepkg's other checks would
> be performed.

Just because someone can manually make a bad source package there's no
excuse to put bad behaviour into makepkg. The same applies to binary
packages. Perhaps in the future if package signing is implemented for
packages it would also be possible to have signed source packages.

I think package integrity is most important when using these official
tools. If shortcuts are required they should be developed elsewhere.