Date: Saturday, December 31, 2022 @ 23:38:47
Author: dvzrv
Revision: 1372728
Pin a commit checksum.
Pin the commit checksum of 21.10.2, as using the tag fragment with just the
pkgver is unsafe.
Upstreams can otherwise move tags, leading to unreproducible (best case) or
malicious (worst case) packages.
Modified:
awxkit/trunk/PKGBUILD
----------+
PKGBUILD | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2022-12-31 22:58:24 UTC (rev 1372727)
+++ PKGBUILD 2022-12-31 23:38:47 UTC (rev 1372728)
@@ -3,6 +3,7 @@
pkgname=awxkit
_pkgname=awx
pkgver=21.10.2
+_commit=5dd0eab8060c16623bf6c5395767cd421dc09c4d # refs/tags/21.10.2
pkgrel=1
pkgdesc="cli client and python library for ansible awx (tower)"
arch=('any')
@@ -11,7 +12,7 @@
depends=('python-six' 'python-yaml' 'python-requests' 'python-wheel')
makedepends=('python-pip' 'python-setuptools' 'git')
options=(!emptydirs)
-source=("${_pkgname}::git+https://github.com/ansible/${_pkgname}#tag=${pkgver}";)
+source=("${_pkgname}::git+https://github.com/ansible/${_pkgname}#tag=$_commit";)
sha512sums=('SKIP')
build() {
