[pacman-dev] makepkg integrity check patches

Jonathan Conder j at skurvy.no-ip.org
Thu May 6 05:59:31 CEST 2010


On Thu, 2010-05-06 at 10:51 +1000, Allan McRae wrote:
> 3) 5d911ae makepkg: allow skipping integrity checks when making source 
> package
> 
> And here is the fun one... "makepkg --source" currently requires 
> checking all checksums.  Using "-source --skipinteg" does not skip this, 
> which in itself makes little sense to me.  The argument that this stops 
> people distributing packages with bad checksums is flawed.  There is 
> nothing stopping them doing that now.  They just have to not use makepkg 
> when creating the tarball, which could lead to even worse PKGBUILDs 
> being distributed as none of makepkg's other checks would be performed.

I found a use case for this recently. For some reason uploading the
tarball of my project to GitHub changed its checksum, so had to adjust
that in the PKGBUILD. But when I put it on the AUR, people complained
that the checksum was wrong. I tried to revert it, but makepkg would not
let me run --source without the original tarball (which I had deleted),
so I had to run make dist all over again, re-upload and so on. This time
I used the original checksum (after checking that the extracted tarballs
were the same, of course), and that seemed to work. But it would have
been easier for me if makepkg just skipped the --source integrity check.

Jonathan



More information about the pacman-dev mailing list