[Dev] Fwd: [arch-dev-public] git packages and checksums

Luke Shumaker lukeshu at sbcglobal.net
Thu Jul 23 04:47:05 GMT 2015


On Sat, 18 Jul 2015 19:20:53 -0600,
fauno wrote:
> 
> [1  <multipart/signed (7bit)>]
> [1.1  <text/plain (quoted-printable)>]
> fyi
> 
> -- 
> }(:=
> 
> -------------------- Start of forwarded message --------------------
> Date: Sat, 18 Jul 2015 10:04:28 -1000
> From: Gaetan Bisson <bisson at archlinux.org>
> Subject: [arch-dev-public] git packages and checksums
> 
> Hi,
> 
> As more of our official packages use git sources, I'd like to suggest we
> always enforce some kind of checksum verification. More specifically,
> I'd like us to avoid using straightforward source arrays such as:
> 
> 	source=("git://github.com/systemd/systemd.git#tag=v$pkgver")
> 	md5sums=('SKIP')
> 
> Instead I suggest we use the full commit hash. In the example above,
> that'd become something like:
> 
> 	_commit=9a50ce20ef60263a6c88c29470ce761fcc424f2d
> 	source=("git://github.com/systemd/systemd.git#commit=$_commit")
> 	md5sums=('SKIP')
> 
> Does that sound like a good idea?

You mean what I've been enforcing on Parabola packages from the
get-go? ;-)

-- 
Happy hacking,
~ Luke Shumaker



More information about the Dev mailing list