On Thu 06 May 2010 15:59 +1200, Jonathan Conder wrote: > On Thu, 2010-05-06 at 10:51 +1000, Allan McRae wrote: > > 3) 5d911ae makepkg: allow skipping integrity checks when making source > > package > > > > And here is the fun one... "makepkg --source" currently requires > > checking all checksums. Using "-source --skipinteg" does not skip this, > > which in itself makes little sense to me. The argument that this stops > > people distributing packages with bad checksums is flawed. There is > > nothing stopping them doing that now. They just have to not use makepkg > > when creating the tarball, which could lead to even worse PKGBUILDs > > being distributed as none of makepkg's other checks would be performed. > > I found a use case for this recently. For some reason uploading the > tarball of my project to GitHub changed its checksum, so had to adjust > that in the PKGBUILD. But when I put it on the AUR, people complained > that the checksum was wrong. I tried to revert it, but makepkg would not > let me run --source without the original tarball (which I had deleted), > so I had to run make dist all over again, re-upload and so on. This time > I used the original checksum (after checking that the extracted tarballs > were the same, of course), and that seemed to work. But it would have > been easier for me if makepkg just skipped the --source integrity check.
I think checksums were implemented for exactly that type of situation. If the server altered your file, or there was some server error, then the check should fail.
