On Sat, 29 May 2021 22:25:45 -0400 Eli Schwartz via aur-general <aur-general@lists.archlinux.org> said:
> On 5/29/21 7:00 AM, Carsten Haitzler via aur-general wrote: > > Maybe just treat this similar to aur -git builds - the upstream can't be > > checksummed (sensibly) and thus are skipped. As with all AUR things - user > > beware and you are already told to check the PKGBUILD for anything > > suspicious and it's why AUR helpers are generally discouraged. If you use > > this AUR you take on the responsibility and risks that removing the shasums > > creates. > > The checksums are less about security and more about detecting things > like truncated downloads, server error pages that deliver "oops, page > not found" HTML content with a 200 OK response code, or captive portals > that deliver "please login to this wireless network" using, again, 200 > OK response codes. But as it's an rpm - this will be found soon enough with a corrupted rpm (it's not an rpm or partial). I'm sure you can find some rpm consistency checking is able to detect this. > git builds have the advantage that the git protocol is internally able > to verify that the response is a) git repos, b) didn't get corrupted by > network errors, which is why they don't need or have the capability to > provide checksums. > > Moreover, if you did remove the checksums, you'd still have people using > $SRCDEST to save repeated downloads and getting the wrong cached content > instead of the updated version, so they'd see nothing available to > update, or repackage old versions with a new version number. And > pkgver() functions are not a solution as pkgver() runs after the sources > are downloaded and cannot be used to update the values in the source=() > array. Extract it from the rpm... :) The PKGBUILD can also nuke any local files in the build dr (i.e. src) that negates that form of caching at least. If an intermediate proxy caches - then ... either way we have a failure. The pkg doesn't update - stays the same version or shasum fails to build a package. Either way - failure and user doesn't get an update. :) If an upstream is actively trying to make things hard, we're going to have issues no matter what. -- ------------- Codito, ergo sum - "I code, therefore I am" -------------- Carsten Haitzler - ras...@rasterman.com
