Hi,
As more of our official packages use git sources, I'd like to suggest we
always enforce some kind of checksum verification. More specifically,
I'd like us to avoid using straightforward source arrays such as:
source=("git://github.com/systemd/systemd.git#tag=v$pkgver")
md5sums=('SKIP')
Instead I suggest we use the full commit hash. In the example above,
that'd become something like:
_commit=9a50ce20ef60263a6c88c29470ce761fcc424f2d
source=("git://github.com/systemd/systemd.git#commit=$_commit")
md5sums=('SKIP')
Does that sound like a good idea?
--
Gaetan
