On 06/05/10 11:10, Dan McGee wrote:
On Wed, May 5, 2010 at 7:51 PM, Allan McRae<[email protected]> wrote:
3) 5d911ae makepkg: allow skipping integrity checks when making source
package
And here is the fun one... "makepkg --source" currently requires checking
all checksums. Using "-source --skipinteg" does not skip this, which in
itself makes little sense to me. The argument that this stops people
distributing packages with bad checksums is flawed. There is nothing
stopping them doing that now. They just have to not use makepkg when
creating the tarball, which could lead to even worse PKGBUILDs being
distributed as none of makepkg's other checks would be performed.
Part of me says this is at least a barrier they would have to work to
cross and defeat, and just downloading the darn source would be
quicker for most. I do understand that a quick `tar czf` would
circumvent the whole thing, but it has become so easy to create source
packages that I don't feel many people even think about it this way
anymore. Correct me if I'm wrong.
Admittedly, this patch will see little use. I used to use it in combination
with #2 when checking that a modified patch compiled on both my i686 and
x86_64 machines. Now that I build both architectures on one machine, this
is of less use to me. I have also used it when commenting on a PKGBUILD
that was sent to me with a query about the best way to implement something.
There I modified some of the build() function to be clearer and sent it to
the author saying I would use this approach but it is not tested. Note I
could have used tar manually (in fact the tar file name would have been tab
autocompleted so the command would probably be simpler to type), but then I
would not get the other checks makepkg provides.
Note that this patch does not make --skipinteg the default. In fact, given
how long the options is, it is very unlikely that a user could every
accidentally type it! There is no difference in behaviour to the current
"makepkg --source" unless the user specifically requests it. The patch just
makes --skipinteg do what its name says; skip integrity checks.
Well after reading most of this you may have won me over. Maybe I can
get just one small concession- when you use both of these options
together (or --allsource I believe it is), we print one more warning
saying "this source package is not guaranteed to work for anyone
else!" or something along those lines.
I have pushed a more strongly worded message into my working branch. I
am sure the message could be improved.
Allan
