[pacman-dev] makepkg integrity check patches
allan at archlinux.org
Tue May 18 05:08:31 CEST 2010
On 06/05/10 11:10, Dan McGee wrote:
> On Wed, May 5, 2010 at 7:51 PM, Allan McRae<allan at archlinux.org> wrote:
>> 3) 5d911ae makepkg: allow skipping integrity checks when making source
>> And here is the fun one... "makepkg --source" currently requires checking
>> all checksums. Using "-source --skipinteg" does not skip this, which in
>> itself makes little sense to me. The argument that this stops people
>> distributing packages with bad checksums is flawed. There is nothing
>> stopping them doing that now. They just have to not use makepkg when
>> creating the tarball, which could lead to even worse PKGBUILDs being
>> distributed as none of makepkg's other checks would be performed.
> Part of me says this is at least a barrier they would have to work to
> cross and defeat, and just downloading the darn source would be
> quicker for most. I do understand that a quick `tar czf` would
> circumvent the whole thing, but it has become so easy to create source
> packages that I don't feel many people even think about it this way
> anymore. Correct me if I'm wrong.
>> Admittedly, this patch will see little use. I used to use it in combination
>> with #2 when checking that a modified patch compiled on both my i686 and
>> x86_64 machines. Now that I build both architectures on one machine, this
>> is of less use to me. I have also used it when commenting on a PKGBUILD
>> that was sent to me with a query about the best way to implement something.
>> There I modified some of the build() function to be clearer and sent it to
>> the author saying I would use this approach but it is not tested. Note I
>> could have used tar manually (in fact the tar file name would have been tab
>> autocompleted so the command would probably be simpler to type), but then I
>> would not get the other checks makepkg provides.
>> Note that this patch does not make --skipinteg the default. In fact, given
>> how long the options is, it is very unlikely that a user could every
>> accidentally type it! There is no difference in behaviour to the current
>> "makepkg --source" unless the user specifically requests it. The patch just
>> makes --skipinteg do what its name says; skip integrity checks.
> Well after reading most of this you may have won me over. Maybe I can
> get just one small concession- when you use both of these options
> together (or --allsource I believe it is), we print one more warning
> saying "this source package is not guaranteed to work for anyone
> else!" or something along those lines.
I have pushed a more strongly worded message into my working branch. I
am sure the message could be improved.
More information about the pacman-dev