----------------------------------------
> From: [email protected]
> Date: Tue, 22 Oct 2013 01:56:16 +0100
> To: [email protected]
> Subject: [aur-general] Support for remote sums in PKGBUILDs
>
> Breaking away from an IRC convo from this morning; has support for
> remote sums been considered for pacman?
> It's currently possible to do this for .sig files (through the source
> array), but not available for simple sha/md5 hashes. This would let
> packagers do something like:
> source=("http://example.com/downloads/$pkgname-$pkgver.tar.xz";)
> sha1sums=("http://example.com/downloads/$pkgname-$pkgver.tar.xz.sha1";)
>
> (Of course, only for servers that generate a programmatically
> discoverable hash of some sort; but it's not actually uncommon)
>
> J. Leclanche
Couldn't you just do:
sha1sums=("$(curlĀ http://example.com/downloads/$pkgname-$pkgver.tar.xz.sha1)")
It kind of defeats the purpose, though. If the server is hacked or someone does
a MitM, they can easily replace the checksum file as well.
