[aur-general] Support for remote sums in PKGBUILDs
Ido Rosen
ido at kernel.org
Mon Oct 21 22:20:36 EDT 2013
s/possible/possibly/
s/checksum in there/checksum in the PKGBUILD as usual/
On Mon, Oct 21, 2013 at 10:19 PM, Ido Rosen <ido at kernel.org> wrote:
> - Do PKGBUILDs support signing the PKGBUILD and verifying that signature?
> (This seems like a good feature for yaourt or possible makepkg if it isn't
> one already.)
> It seems like if you want safety from MITM attacks, PGP sigs are the way
> to go, either sign the PKGBUILD and put the checksum in there, or include
> the signature of the source file in the tarball/pkg. (This is already
> provided for binary pkgs, but not source ones, correct? Seems easy enough
> to add a PKGBUILD signature and teach makepkg to use it.)
>
>
>
> On Mon, Oct 21, 2013 at 10:13 PM, Doug Newgard <scimmia22 at outlook.com>wrote:
>
>> ----------------------------------------
>> > From: adys.wh at gmail.com
>> > Date: Tue, 22 Oct 2013 01:56:16 +0100
>> > To: aur-general at archlinux.org
>> > Subject: [aur-general] Support for remote sums in PKGBUILDs
>> >
>> > Breaking away from an IRC convo from this morning; has support for
>> > remote sums been considered for pacman?
>> > It's currently possible to do this for .sig files (through the source
>> > array), but not available for simple sha/md5 hashes. This would let
>> > packagers do something like:
>> > source=("http://example.com/downloads/$pkgname-$pkgver.tar.xz")
>> > sha1sums=("http://example.com/downloads/$pkgname-$pkgver.tar.xz.sha1")
>> >
>> > (Of course, only for servers that generate a programmatically
>> > discoverable hash of some sort; but it's not actually uncommon)
>> >
>> > J. Leclanche
>>
>> Couldn't you just do:
>> sha1sums=("$(curl
>> http://example.com/downloads/$pkgname-$pkgver.tar.xz.sha1)")
>>
>> It kind of defeats the purpose, though. If the server is hacked or
>> someone does a MitM, they can easily replace the checksum file as well.
>>
>
>
>
More information about the aur-general
mailing list