[pacman-dev] makepkg integrity check patches

Thu May 6 12:11:57 CEST 2010

On Thu, May 6, 2010 at 4:09 AM, Allan McRae <allan at archlinux.org> wrote:
> On 06/05/10 11:41, Loui Chang wrote:
>>
>> On Thu 06 May 2010 10:51 +1000, Allan McRae wrote:
>>>
>>> 2) cd1378d makepkg: rework --skipinteg
>>>
>>> This is very, very, VERY useful.  I did not have makepkg-git on my
>>> new computer earlier this week and the current makepkg behaviour
>>> annoyed me A LOT.
>>>
>>> This is particularly useful when testing out a patch that you need to
>>> repeatedly modify.  You only need to update your checksums once it is
>>> working.  I use this very frequently, but then again I do more
>>> packaging than most.
>>
>> I believe this is bad behaviour. makepkg should be used to package
>> software, not help you develop patches for it.
>
> Not being condescending here, but you obviously do not do much packaging.
>  Packaging software requires patching software.  e.g. gcc-4.x header
> changes, libpng API changes, etc.  It is a lot easier for me to run "makepkg
> --skipinteg" to test the state of a patch to fix build issues that it is to
> manually extract the tarball, apply the patch, configure, make...
>

To complete Allan's arguments :
90% of the pkgbuilds I build are not meant to be shared with anyone
else, usually ABS or AUR packages, sometimes slightly customized for
my needs.
Why couldn't I enable a non-default behavior that skip integs when I
know they will fail and I don't care what the new checksums are ?

"non-default behavior" is the important part here, if this was
default, I would be totally against this behavior.

>>> 3) 5d911ae makepkg: allow skipping integrity checks when making
>>> source package
>>
>>> And here is the fun one... "makepkg --source" currently requires
>>> checking all checksums.  Using "-source --skipinteg" does not skip
>>> this, which in itself makes little sense to me.  The argument that
>>> this stops people distributing packages with bad checksums is flawed.
>>> There is nothing stopping them doing that now.  They just have to not
>>> use makepkg when creating the tarball, which could lead to even worse
>>> PKGBUILDs being distributed as none of makepkg's other checks would
>>> be performed.
>>
>> Just because someone can manually make a bad source package there's no
>> excuse to put bad behaviour into makepkg. The same applies to binary
>> packages.
>
> Why is it bad behaviour?  I think you are just assuming the user is stupid
> and will use it unnecessarily.  "pacman -Rd" and "pacman -Sf" are stupid in
> most cases, but we do not remove them as they are also useful in others
> cases.  Similarly, I provided two usage cases where it is perfectly
> reasonable behaviour to skip integrity checks.
>
> Skipping integrity checks is not going to be the default behaviour and does
> not even have a shorthand option.  The user has to specifically want to use
> it.  Lets make the assumption that if someone goes out of their way to type
> "--skipinteg", that they are doing it deliberately.
>

Agreed. If we assume the user is completely stupid, we can't develop
softwares. We can't produce anything actually.
We might need a notice or disclaimer to ship pacman and makepkg :P