[pacman-dev] makepkg integrity check patches

Allan McRae allan at archlinux.org
Thu May 6 04:09:56 CEST 2010

On 06/05/10 11:41, Loui Chang wrote:
> On Thu 06 May 2010 10:51 +1000, Allan McRae wrote:
>> 2) cd1378d makepkg: rework --skipinteg
>> This is very, very, VERY useful.  I did not have makepkg-git on my
>> new computer earlier this week and the current makepkg behaviour
>> annoyed me A LOT.
>> This is particularly useful when testing out a patch that you need to
>> repeatedly modify.  You only need to update your checksums once it is
>> working.  I use this very frequently, but then again I do more
>> packaging than most.
> I believe this is bad behaviour. makepkg should be used to package
> software, not help you develop patches for it.

Not being condescending here, but you obviously do not do much 
packaging.  Packaging software requires patching software.  e.g. gcc-4.x 
header changes, libpng API changes, etc.  It is a lot easier for me to 
run "makepkg --skipinteg" to test the state of a patch to fix build 
issues that it is to manually extract the tarball, apply the patch, 
configure, make...

>> 3) 5d911ae makepkg: allow skipping integrity checks when making
>> source package
>> And here is the fun one... "makepkg --source" currently requires
>> checking all checksums.  Using "-source --skipinteg" does not skip
>> this, which in itself makes little sense to me.  The argument that
>> this stops people distributing packages with bad checksums is flawed.
>> There is nothing stopping them doing that now.  They just have to not
>> use makepkg when creating the tarball, which could lead to even worse
>> PKGBUILDs being distributed as none of makepkg's other checks would
>> be performed.
> Just because someone can manually make a bad source package there's no
> excuse to put bad behaviour into makepkg. The same applies to binary
> packages.

Why is it bad behaviour?  I think you are just assuming the user is 
stupid and will use it unnecessarily.  "pacman -Rd" and "pacman -Sf" are 
stupid in most cases, but we do not remove them as they are also useful 
in others cases.  Similarly, I provided two usage cases where it is 
perfectly reasonable behaviour to skip integrity checks.

Skipping integrity checks is not going to be the default behaviour and 
does not even have a shorthand option.  The user has to specifically 
want to use it.  Lets make the assumption that if someone goes out of 
their way to type "--skipinteg", that they are doing it deliberately.

> Perhaps in the future if package signing is implemented for
> packages it would also be possible to have signed source packages.

Yes it would, but entirely off topic.

More information about the pacman-dev mailing list