On 5/29/21 7:00 AM, Carsten Haitzler via aur-general wrote: > Maybe just treat this similar to aur -git builds - the upstream can't be > checksummed (sensibly) and thus are skipped. As with all AUR things - user > beware and you are already told to check the PKGBUILD for anything suspicious > and it's why AUR helpers are generally discouraged. If you use this AUR you > take on the responsibility and risks that removing the shasums creates.
The checksums are less about security and more about detecting things like truncated downloads, server error pages that deliver "oops, page not found" HTML content with a 200 OK response code, or captive portals that deliver "please login to this wireless network" using, again, 200 OK response codes. git builds have the advantage that the git protocol is internally able to verify that the response is a) git repos, b) didn't get corrupted by network errors, which is why they don't need or have the capability to provide checksums. Moreover, if you did remove the checksums, you'd still have people using $SRCDEST to save repeated downloads and getting the wrong cached content instead of the updated version, so they'd see nothing available to update, or repackage old versions with a new version number. And pkgver() functions are not a solution as pkgver() runs after the sources are downloaded and cannot be used to update the values in the source=() array. -- Eli Schwartz Bug Wrangler and Trusted User
OpenPGP_signature
Description: OpenPGP digital signature
