On 02/19/2015 05:46 PM, Mark Lee wrote: > On 02/19/2015 05:24 PM, Lukas Jirkovsky wrote: >> On 19 February 2015 at 21:42, Doug Newgard <scim...@archlinux.info> wrote: >>> You can't. If upstream provides a checksum, that gives you some >>> verification, >>> but since github doesn't, there's no way to verify any of it. >> >> I don't know about github, but with bitbucket the checksums of these >> generated tarballs may change occasionally as I had this issue with >> luxrender. However, the sources were always the same, it was the >> metadata that changed. >> > > How important are checksums to PKGBUILDS then? Should sources with > varying checksums just have 'SKIP' in their integrity arrays? > > Regards, > Mark >
Furthermore, if the integrity check is different from upstream, is a packager obligated to host a copy of the source code for GPLed software? Regards, Mark
