Loui Chang wrote:
On Fri 30 Oct 2009 15:29 +1000, Allan McRae wrote:
Loui Chang wrote:
On Thu 29 Oct 2009 14:40 +1000, Allan McRae wrote:
Jeff wrote:
Patch [1] extends the --skipinteg option allow the generation of
a source tarball without requiring the checking of the integrity
checks
You've given the what, but what is the why? If the source integrity is
flawed, then the generated source package is flawed. This seems like
something that should be safeguarded against, IMO.
I can come up with two use cases:
1) making a PKGBUILD for a snapshot release that is always accessible
>from some sort of LATEST release directory symlink. Many projects
use something like that. That way the PKGBUILD does not need updated
every time a snapshot is release. While it may be argued that it is
better to use a svn/cvs/git/etc PKGBUILD, in many cases the snapshots
are generally sanity checked before release.
2) This happens to me occasionally. Someone sends me a PKGBUILD they
can not get working. I see an obvious error, fix it and send the
PKGBUILD back saying "try this" because I really do not want to
download the sources/dependencies to check myself.
In both cases if you could omit checksums and makepkg could interpret
that as "the packager doesn't really care about integrity, skip checks".
In case 2, why would I delete the checksums that are correct and
supplied just because I do not want to download the source to check
them?
How do you know they are correct if you haven't checked them?
Please read case two again. I can assume they are correct given they
were provided to me and I do not want to download the sources to get
them. I have this happen to me around once every week or two which is
one of the reason I was motivated to write this patch.
It could print a warning, and you don't need another fancy flag.
Note it is not another fancy flag. It is a reuse of an already
Sorry. I guess the man page needs updating. Looks like it's pretty new.
Nope...
man makepkg:
--skipinteg
Do not fail when the PKGBUILD does not contain any integrity
checks, just print a warning instead.
implemented flag. And that suggestion would mean that instead of
the current error on no integrity checks, makepkg would instead just
print a warning (which is as good as being silent early in the build
process). My patch, keeps that error and the user has to go out of
their way to use --skipinteg. You would not type this unless you had
a reason, so in the vast, vast majority of cases, the integrity
checks will be performed.
If you're just someone who's building (not the packager) and you're
adding checksums to the PKGBUILD afterwards, you don't really know
whether the source is valid or not. It's a waste of time, and a false
sense of integrity to add them afterwards, and then have to use
--skipinteg.
What is your point here? I never said anything about adding checksums
afterwards. And why would you use --skipinteg after adding checksums?
I am entirely lost... Also, I see no way that not shipping checksums
in a PKGBUILD would give a false sense of security. You would need to
use the --skipinteg flag to build the package, which would seem to flag
insecure to me.
As an aside, I find it plausible that the majority of checksums in
PKGBUILDs are put there by the use of "makepkg -g" so they are
essentially useless anyway.
Allan
