[pacman-dev] makepkg integrity check patches

Allan McRae allan at archlinux.org
Tue May 18 05:08:31 CEST 2010 

On 06/05/10 11:10, Dan McGee wrote:
> On Wed, May 5, 2010 at 7:51 PM, Allan McRae<allan at archlinux.org>  wrote:

>> 3) 5d911ae makepkg: allow skipping integrity checks when making source
>> package
>>
>> And here is the fun one... "makepkg --source" currently requires checking
>> all checksums.  Using "-source --skipinteg" does not skip this, which in
>> itself makes little sense to me.  The argument that this stops people
>> distributing packages with bad checksums is flawed.  There is nothing
>> stopping them doing that now.  They just have to not use makepkg when
>> creating the tarball, which could lead to even worse PKGBUILDs being
>> distributed as none of makepkg's other checks would be performed.
>
> Part of me says this is at least a barrier they would have to work to
> cross and defeat, and just downloading the darn source would be
> quicker for most. I do understand that a quick `tar czf` would
> circumvent the whole thing, but it has become so easy to create source
> packages that I don't feel many people even think about it this way
> anymore. Correct me if I'm wrong.
>
>> Admittedly, this patch will see little use.  I used to use it in combination
>> with #2 when checking that a modified patch compiled on both my i686 and
>> x86_64 machines.  Now that I build both architectures on one machine, this
>> is of less use to me.  I have also used it when commenting on a PKGBUILD
>> that was sent to me with a query about the best way to implement something.
>>   There I modified some of the build() function to be clearer and sent it to
>> the author saying I would use this approach but it is not tested.  Note I
>> could have used tar manually (in fact the tar file name would have been tab
>> autocompleted so the command would probably be simpler to type), but then I
>> would not get the other checks makepkg provides.
>>
>> Note that this patch does not make --skipinteg the default.  In fact, given
>> how long the options is, it is very unlikely that a user could every
>> accidentally type it!  There is no difference in behaviour to the current
>> "makepkg --source" unless the user specifically requests it. The patch just
>> makes --skipinteg do what its name says;  skip integrity checks.
>
> Well after reading most of this you may have won me over. Maybe I can
> get just one small concession- when you use both of these options
> together (or --allsource I believe it is), we print one more warning
> saying "this source package is not guaranteed to work for anyone
> else!" or something along those lines.
>

I have pushed a more strongly worded message into my working branch.  I 
am sure the message could be improved.

Allan

More information about the pacman-dev mailing list