makepkg: immutable mercurial sources by hashing the checkout content
This feature makes Mercurial VCS build inputs immutable by adding support for pinning a Mercurial checkout by a hash of its content using the deterministic export functionality `hg archive`. This feature aids packagers by allowing them to use simple and convenient refnames (instead of full commit hashes) in the `PKGBUILD` while still preserving security implications of immutable build inputs using a trusted cryptographic hash function of the content. Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
This commit is contained in:
Levente Polyak
Allan McRae
parent
2fc2ab6cf0
commit
ca3c873d48
1 changed files with 27 additions and 0 deletions
|
|
@ -111,3 +111,30 @@ extract_hg() {
|
|||
|
||||
popd &>/dev/null
|
||||
}
|
||||
|
||||
calc_checksum_hg() {
|
||||
local netfile=$1 integ=$2 ret=0 shellopts dir url fragment fragval sum
|
||||
|
||||
# this function requires pipefail - save current status to restore later
|
||||
shellopts=$(shopt -p -o pipefail)
|
||||
shopt -s -o pipefail
|
||||
|
||||
dir=$(get_filepath "$netfile")
|
||||
url=$(get_url "$netfile")
|
||||
fragment=$(get_uri_fragment "$url")
|
||||
|
||||
case ${fragment%%=*} in
|
||||
tag|revision)
|
||||
fragval=${fragment##*=}
|
||||
sum=$(hg --repository "$dir" archive --type tar --rev "$fragval" - | "${integ}sum" 2>&1) || ret=1
|
||||
sum="${sum%% *}"
|
||||
;;
|
||||
*)
|
||||
sum="SKIP"
|
||||
;;
|
||||
esac
|
||||
|
||||
eval "$shellopts"
|
||||
printf '%s' "$sum"
|
||||
return $ret
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue