[pacman-dev] makepkg integrity check patches

Loui Chang louipc.ist at gmail.com
Thu May 6 13:54:13 CEST 2010


On Thu 06 May 2010 15:59 +1200, Jonathan Conder wrote:
> On Thu, 2010-05-06 at 10:51 +1000, Allan McRae wrote:
> > 3) 5d911ae makepkg: allow skipping integrity checks when making source 
> > package
> > 
> > And here is the fun one... "makepkg --source" currently requires 
> > checking all checksums.  Using "-source --skipinteg" does not skip this, 
> > which in itself makes little sense to me.  The argument that this stops 
> > people distributing packages with bad checksums is flawed.  There is 
> > nothing stopping them doing that now.  They just have to not use makepkg 
> > when creating the tarball, which could lead to even worse PKGBUILDs 
> > being distributed as none of makepkg's other checks would be performed.
> 
> I found a use case for this recently. For some reason uploading the
> tarball of my project to GitHub changed its checksum, so had to adjust
> that in the PKGBUILD. But when I put it on the AUR, people complained
> that the checksum was wrong. I tried to revert it, but makepkg would not
> let me run --source without the original tarball (which I had deleted),
> so I had to run make dist all over again, re-upload and so on. This time
> I used the original checksum (after checking that the extracted tarballs
> were the same, of course), and that seemed to work. But it would have
> been easier for me if makepkg just skipped the --source integrity check.

I think checksums were implemented for exactly that type of situation.
If the server altered your file, or there was some server error, then
the check should fail.



More information about the pacman-dev mailing list