[pacman-dev] [PATCH] Added mirror support to makepkg's source array.
Allan McRae
allan at archlinux.org
Wed Nov 20 08:02:00 EST 2013
On 20/11/13 22:51, Martti Kühne wrote:
> On Mon, Nov 18, 2013 at 3:09 AM, Allan McRae <allan at archlinux.org> wrote:
>>
>> What did you think about the proposal in an earlier reply to this thread:
>>
>> source=("mirror://_foo/blah/blah/foo.tar.gz")
>> _foo=("http://foo.com/" "http://bar.com/")
>>
>> I think we can bet safely that "mirror://" will not become a valid
>> protocol. And we are replacing the start of the URL so just using the
>> initial "/" as the delimiter is fine.
>>
>> Allan
>>
>>
>
>
> Personally, I wouldn't notice that _foo part there and go WTF if the
> URL isn't valid. This is as bad as the previous suggestion, where I
> thought of this:
>
> source=("http://looks.ok/good.tar.gz")
> [...fast-forward to bottom of PKGBUILD]
> http=("http://malware.com/evil_file.tar.gz")
>
> whereas with the latest suggestion, one would just
>
> source=("http://_it/looks.ok/good.tar.gz")
> [...fast-forward to bottom of PKGBUILD]
> _it=("http://malware.com/evil_file.tar.gz")
Ummm.... both those would be perfectly safe with the suggestion in my
email above because the sources are prefixed with http:// and so the not
arrays with malware.com would do nothing. Only source lines starting
with mirror:// would require looking at the array of mirror sources.
A
More information about the pacman-dev
mailing list