bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Note that checksums from "makepkg -g" are not ideal

Browse source 
Generating checksums with "makepkg -g" only determines that the user of a
PKGBUILD has the same file as the packager (assuming no collision).  This
means an upstream source could be maliciously changed and passed on as valid
by a PKGBUILD.  To avoid this, it is essential that any checksums used in
a PKGBUILD are as provided by upstream.

Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
Allan McRae 2020-01-23 12:04:28 +10:00
parent e54617c7d5
commit c3852ff425
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
doc/PKGBUILD.5.asciidoc
View file

@ -152,7 +152,9 @@ contain whitespace characters.
file integrity during subsequent builds. If 'SKIP' is put in the array
in place of a normal hash, the integrity check for that source file will
be skipped. To easily generate md5sums, run ``makepkg -g >> PKGBUILD''.
If desired, move the md5sums line to an appropriate location.
If desired, move the md5sums line to an appropriate location. Note that
checksums generated by "makepkg -g" should be verified using checksum
values provided by the software developer.
*sha1sums, sha224sums, sha256sums, sha384sums, sha512sums, b2sums (arrays)*::
Alternative integrity checks that makepkg supports; these all behave