makepkg: immutable bzr by hashing the checkout content
This feature makes bzr VCS build inputs immutable by adding support for pinning a bzr checkout by a hash of its content using the deterministic export functionality `bzr export`. This feature allows to preserve security implications of immutable build inputs using a trusted cryptographic hash function of the content. Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
This commit is contained in:
Levente Polyak
Allan McRae
parent
ca3c873d48
commit
ee933acf84
1 changed files with 26 additions and 0 deletions
|
|
@ -109,3 +109,29 @@ extract_bzr() {
|
||||||
|
|
||||||
popd &>/dev/null
|
popd &>/dev/null
|
||||||
}
|
}
|
||||||
|
|
||||||
|
calc_checksum_bzr() {
|
||||||
|
local netfile=$1 integ=$2 ret=0 shellopts dir url fragment fragval sum
|
||||||
|
|
||||||
|
# this function requires pipefail - save current status to restore later
|
||||||
|
shellopts=$(shopt -p -o pipefail)
|
||||||
|
shopt -s -o pipefail
|
||||||
|
|
||||||
|
dir=$(get_filepath "$netfile")
|
||||||
|
url=$(get_url "$netfile")
|
||||||
|
fragment=$(get_uri_fragment "$url")
|
||||||
|
|
||||||
|
case ${fragment%%=*} in
|
||||||
|
revision)
|
||||||
|
fragval=${fragment##*=}
|
||||||
|
sum=$(bzr export --directory "$dir" --format tar --revision "$fragval" - | "${integ}sum" 2>&1) || ret=1
|
||||||
|
sum="${sum%% *}"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
sum="SKIP"
|
||||||
|
esac
|
||||||
|
|
||||||
|
eval "$shellopts"
|
||||||
|
printf '%s' "$sum"
|
||||||
|
return $ret
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue