bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

makepkg: add CRC checksums and set these to be the default

Browse source 
Checksums arrays should be filled with values provided by upstream.  We
currently have md5 set as an unsecure default, and are constantly asked to
change it to sha2.  However, just changing the default to a stronger checksum
gives the user the impression that "makepkg -g" checksums are perfect.

Instead, change the default checksum to a CRC, to make it clear that any
checksum generated purely by "makepkg -g" is not ideal.

Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
Allan McRae 2020-01-23 12:14:14 +10:00
parent c3852ff425
commit 21af798604
5 changed files with 13 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
doc/PKGBUILD.5.asciidoc
View file

@ -118,7 +118,7 @@ systems (see below).
+ +
Additional architecture-specific sources can be added by appending an Additional architecture-specific sources can be added by appending an
underscore and the architecture name e.g., 'source_x86_64=()'. There must be a underscore and the architecture name e.g., 'source_x86_64=()'. There must be a
corresponding integrity array with checksums, e.g. 'md5sums_x86_64=()'. corresponding integrity array with checksums, e.g. 'cksums_x86_64=()'.
+ +
It is also possible to change the name of the downloaded file, which is helpful It is also possible to change the name of the downloaded file, which is helpful
with weird URLs and for handling multiple source files with the same with weird URLs and for handling multiple source files with the same
@ -146,19 +146,19 @@ contain whitespace characters.
listed here will not be extracted with the rest of the source files. This listed here will not be extracted with the rest of the source files. This
is useful for packages that use compressed data directly. is useful for packages that use compressed data directly.
*md5sums (array)*:: *cksums (array)*::
This array contains an MD5 hash for every source file specified in the This array contains CRC checksums for every source file specified in the
source array (in the same order). makepkg will use this to verify source source array (in the same order). makepkg will use this to verify source
file integrity during subsequent builds. If 'SKIP' is put in the array file integrity during subsequent builds. If 'SKIP' is put in the array
in place of a normal hash, the integrity check for that source file will in place of a normal hash, the integrity check for that source file will
be skipped. To easily generate md5sums, run ``makepkg -g >> PKGBUILD''. be skipped. To easily generate cksums, run ``makepkg -g >> PKGBUILD''.
If desired, move the md5sums line to an appropriate location. Note that If desired, move the cksums line to an appropriate location. Note that
checksums generated by "makepkg -g" should be verified using checksum checksums generated by "makepkg -g" should be verified using checksum
values provided by the software developer. values provided by the software developer.
*sha1sums, sha224sums, sha256sums, sha384sums, sha512sums, b2sums (arrays)*:: *md5sums, sha1sums, sha224sums, sha256sums, sha384sums, sha512sums, b2sums (arrays)*::
Alternative integrity checks that makepkg supports; these all behave Alternative integrity checks that makepkg supports; these all behave
similar to the md5sums option described above. To enable use and generation similar to the cksums option described above. To enable use and generation
of these checksums, be sure to set up the `INTEGRITY_CHECK` option in of these checksums, be sure to set up the `INTEGRITY_CHECK` option in
linkman:makepkg.conf[5]. linkman:makepkg.conf[5].

2
doc/makepkg.conf.5.asciidoc
View file

@ -192,7 +192,7 @@ Options
**INTEGRITY_CHECK=(**check1 ...**)**:: **INTEGRITY_CHECK=(**check1 ...**)**::
File integrity checks to use. Multiple checks may be specified; this File integrity checks to use. Multiple checks may be specified; this
affects both generation and checking. The current valid options are: affects both generation and checking. The current valid options are:
`md5`, `sha1`, `sha224`, `sha256`, `sha384`, `sha512`, and `b2`. `ck`, `md5`, `sha1`, `sha224`, `sha256`, `sha384`, `sha512`, and `b2`.
**STRIP_BINARIES=**"--strip-all":: **STRIP_BINARIES=**"--strip-all"::
Options to be used when stripping binaries. See linkman:strip[1] Options to be used when stripping binaries. See linkman:strip[1]

4
etc/makepkg.conf.in
View file

@ -89,8 +89,8 @@ BUILDENV=(!distcc color !ccache check !sign)
# #
OPTIONS=(strip docs libtool staticlibs emptydirs zipman purge !debug) OPTIONS=(strip docs libtool staticlibs emptydirs zipman purge !debug)
#-- File integrity checks to use. Valid: md5, sha1, sha224, sha256, sha384, sha512, b2 #-- File integrity checks to use. Valid: ck, md5, sha1, sha224, sha256, sha384, sha512, b2
INTEGRITY_CHECK=(md5) INTEGRITY_CHECK=(ck)
#-- Options to be used when stripping binaries. See `man strip' for details. #-- Options to be used when stripping binaries. See `man strip' for details.
STRIP_BINARIES="@STRIP_BINARIES@" STRIP_BINARIES="@STRIP_BINARIES@"
#-- Options to be used when stripping shared libraries. See `man strip' for details. #-- Options to be used when stripping shared libraries. See `man strip' for details.

2
scripts/libmakepkg/util/schema.sh.in
View file

@ -26,7 +26,7 @@ LIBRARY=${LIBRARY:-'@libmakepkgdir@'}
source "$LIBRARY/util/util.sh" source "$LIBRARY/util/util.sh"
known_hash_algos=({md5,sha{1,224,256,384,512},b2}) known_hash_algos=({ck,md5,sha{1,224,256,384,512},b2})
pkgbuild_schema_arrays=(arch backup checkdepends conflicts depends groups pkgbuild_schema_arrays=(arch backup checkdepends conflicts depends groups
license makedepends noextract optdepends options license makedepends noextract optdepends options

4
scripts/makepkg.sh.in
View file

@ -1195,8 +1195,8 @@ unset "${known_hash_algos[@]/%/sums}"
unset -f pkgver prepare build check package "${!package_@}" unset -f pkgver prepare build check package "${!package_@}"
unset "${!makedepends_@}" "${!depends_@}" "${!source_@}" "${!checkdepends_@}" unset "${!makedepends_@}" "${!depends_@}" "${!source_@}" "${!checkdepends_@}"
unset "${!optdepends_@}" "${!conflicts_@}" "${!provides_@}" "${!replaces_@}" unset "${!optdepends_@}" "${!conflicts_@}" "${!provides_@}" "${!replaces_@}"
unset "${!md5sums_@}" "${!sha1sums_@}" "${!sha224sums_@}" "${!sha256sums_@}" unset "${!cksums_@}" "${!md5sums_@}" "${!sha1sums_@}" "${!sha224sums_@}"
unset "${!sha384sums_@}" "${!sha512sums_@}" "${!b2sums_@}" unset "${!sha256sums_@}" "${!sha384sums_@}" "${!sha512sums_@}" "${!b2sums_@}"
BUILDFILE=${BUILDFILE:-$BUILDSCRIPT} BUILDFILE=${BUILDFILE:-$BUILDSCRIPT}
if [[ ! -f $BUILDFILE ]]; then if [[ ! -f $BUILDFILE ]]; then