[pacman-dev] [PATCH 2/2] makepkg: add CRC checksums and set these to be the default

Charles Duffy charles at dyfis.net
Fri Jan 24 01:06:52 UTC 2020 

A potentially unforeseen consequence:

At present, it is possible (albeit with use of tools that aren't as of
present date publicly released, something I hope to change in the future)
to use the Nix build system to build Arch packages (with some caveats, but
generally manageable ones for folks who don't need these packages to be
what Nix calls "pure").

Nix identifies downloaded content by hash -- only build-time processes
which can state a cryptographically strong checksum of their intended
output prior to time of invocation are allowed to connect to the internet
during the build process itself. cksum is not supported by Nix, whereas the
other checksums supported by Arch are.

Thus, moving to cksum -- quite aside from other concerns, which have been
argued outside this thread -- would encourage an increased proportion of
Arch packages not be buildable by Nix.

On Wed, Jan 22, 2020 at 8:19 PM Allan McRae <allan at archlinux.org> wrote:

> Checksums arrays should be filled with values provided by upstream.  We
> currently have md5 set as an unsecure default, and are constantly asked to
> change it to sha2.  However, just changing the default to a stronger
> checksum
> gives the user the impression that "makepkg -g" checksums are perfect.
>
> Instead, change the default checksum to a CRC, to make it clear that any
> checksum generated purely by "makepkg -g" is not ideal.
>
> Signed-off-by: Allan McRae <allan at archlinux.org>
> ---
>  doc/PKGBUILD.5.asciidoc              | 14 +++++++-------
>  doc/makepkg.conf.5.asciidoc          |  2 +-
>  etc/makepkg.conf.in                  |  4 ++--
>  scripts/libmakepkg/util/schema.sh.in |  2 +-
>  scripts/makepkg.sh.in                |  4 ++--
>  5 files changed, 13 insertions(+), 13 deletions(-)
>
> diff --git a/doc/PKGBUILD.5.asciidoc b/doc/PKGBUILD.5.asciidoc
> index abe2ab52..4d03f8ed 100644
> --- a/doc/PKGBUILD.5.asciidoc
> +++ b/doc/PKGBUILD.5.asciidoc
> @@ -118,7 +118,7 @@ systems (see below).
>  +
>  Additional architecture-specific sources can be added by appending an
>  underscore and the architecture name e.g., 'source_x86_64=()'. There must
> be a
> -corresponding integrity array with checksums, e.g. 'md5sums_x86_64=()'.
> +corresponding integrity array with checksums, e.g. 'cksums_x86_64=()'.
>  +
>  It is also possible to change the name of the downloaded file, which is
> helpful
>  with weird URLs and for handling multiple source files with the same
> @@ -146,19 +146,19 @@ contain whitespace characters.
>         listed here will not be extracted with the rest of the source
> files. This
>         is useful for packages that use compressed data directly.
>
> -*md5sums (array)*::
> -       This array contains an MD5 hash for every source file specified in
> the
> +*cksums (array)*::
> +       This array contains CRC checksums for every source file specified
> in the
>         source array (in the same order). makepkg will use this to verify
> source
>         file integrity during subsequent builds. If 'SKIP' is put in the
> array
>         in place of a normal hash, the integrity check for that source
> file will
> -       be skipped. To easily generate md5sums, run ``makepkg -g >>
> PKGBUILD''.
> -       If desired, move the md5sums line to an appropriate location.
> Note that
> +       be skipped. To easily generate cksums, run ``makepkg -g >>
> PKGBUILD''.
> +       If desired, move the cksums line to an appropriate location.  Note
> that
>         checksums generated by "makepkg -g" provide little security
> benefit. All
>         checksum values should be as provided by the software developer.
>
> -*sha1sums, sha224sums, sha256sums, sha384sums, sha512sums, b2sums
> (arrays)*::
> +*md5sums, sha1sums, sha224sums, sha256sums, sha384sums, sha512sums,
> b2sums (arrays)*::
>         Alternative integrity checks that makepkg supports; these all
> behave
> -       similar to the md5sums option described above. To enable use and
> generation
> +       similar to the cksums option described above. To enable use and
> generation
>         of these checksums, be sure to set up the `INTEGRITY_CHECK` option
> in
>         linkman:makepkg.conf[5].
>
> diff --git a/doc/makepkg.conf.5.asciidoc b/doc/makepkg.conf.5.asciidoc
> index b7496324..04cc5ea9 100644
> --- a/doc/makepkg.conf.5.asciidoc
> +++ b/doc/makepkg.conf.5.asciidoc
> @@ -192,7 +192,7 @@ Options
>  **INTEGRITY_CHECK=(**check1 ...**)**::
>         File integrity checks to use. Multiple checks may be specified;
> this
>         affects both generation and checking. The current valid options
> are:
> -       `md5`, `sha1`, `sha224`, `sha256`, `sha384`, `sha512`, and `b2`.
> +       `ck`, `md5`, `sha1`, `sha224`, `sha256`, `sha384`, `sha512`, and
> `b2`.
>
>  **STRIP_BINARIES=**"--strip-all"::
>         Options to be used when stripping binaries. See linkman:strip[1]
> diff --git a/etc/makepkg.conf.in b/etc/makepkg.conf.in
> index caf5114b..1c7988d2 100644
> --- a/etc/makepkg.conf.in
> +++ b/etc/makepkg.conf.in
> @@ -89,8 +89,8 @@ BUILDENV=(!distcc color !ccache check !sign)
>  #
>  OPTIONS=(strip docs libtool staticlibs emptydirs zipman purge !debug)
>
> -#-- File integrity checks to use. Valid: md5, sha1, sha224, sha256,
> sha384, sha512, b2
> -INTEGRITY_CHECK=(md5)
> +#-- File integrity checks to use. Valid: ck, md5, sha1, sha224, sha256,
> sha384, sha512, b2
> +INTEGRITY_CHECK=(ck)
>  #-- Options to be used when stripping binaries. See `man strip' for
> details.
>  STRIP_BINARIES="@STRIP_BINARIES@"
>  #-- Options to be used when stripping shared libraries. See `man strip'
> for details.
> diff --git a/scripts/libmakepkg/util/schema.sh.in
> b/scripts/libmakepkg/util/schema.sh.in
> index b2f119cf..02bfdb86 100644
> --- a/scripts/libmakepkg/util/schema.sh.in
> +++ b/scripts/libmakepkg/util/schema.sh.in
> @@ -26,7 +26,7 @@ LIBRARY=${LIBRARY:-'@libmakepkgdir@'}
>  source "$LIBRARY/util/util.sh"
>
>
> -known_hash_algos=({md5,sha{1,224,256,384,512},b2})
> +known_hash_algos=({ck,md5,sha{1,224,256,384,512},b2})
>
>  pkgbuild_schema_arrays=(arch backup checkdepends conflicts depends groups
>                          license makedepends noextract optdepends options
> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index a6de7823..7fa791e1 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -1195,8 +1195,8 @@ unset "${known_hash_algos[@]/%/sums}"
>  unset -f pkgver prepare build check package "${!package_@}"
>  unset "${!makedepends_@}" "${!depends_@}" "${!source_@}"
> "${!checkdepends_@}"
>  unset "${!optdepends_@}" "${!conflicts_@}" "${!provides_@}"
> "${!replaces_@}"
> -unset "${!md5sums_@}" "${!sha1sums_@}" "${!sha224sums_@}"
> "${!sha256sums_@}"
> -unset "${!sha384sums_@}" "${!sha512sums_@}" "${!b2sums_@}"
> +unset "${!cksums_@}" "${!md5sums_@}" "${!sha1sums_@}" "${!sha224sums_@}"
> +unset "${!sha256sums_@}" "${!sha384sums_@}" "${!sha512sums_@}"
> "${!b2sums_@}"
>
>  BUILDFILE=${BUILDFILE:-$BUILDSCRIPT}
>  if [[ ! -f $BUILDFILE ]]; then
> --
> 2.25.0
>

More information about the pacman-dev mailing list