Re: Severity of Failed checksum for PKGBUILD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Thu, 19 Feb 2015 15:34:31 -0500
Mark Lee <mark@xxxxxxxxxxxx> wrote:

> On 02/19/2015 03:28 PM, Doug Newgard wrote:
> > On Thu, 19 Feb 2015 15:15:42 -0500
> > Mark Lee <mark@xxxxxxxxxxxx> wrote:
> > 
> >> Salutations,
> >>
> >> After trying to build the mpv-0.8.0-1 and finding that the PKGBUILD's
> >> checksum was incorrect, I filed a bug report. See
> >> <https://bugs.archlinux.org/task/43882?project=5&cat%5B0%5D=33&string=mpv>.
> >>
> >> I filed it under "critical" since an incorrect checksum means that the
> >> package was built from source that doesn't match upstream's source. I
> >> was told it's not a critical issue and it was downgraded to medium. I'm
> >> wondering why incorrect checksums aren't considered "critical".
> >>
> >> Regards,
> >> Mark
> > 
> > The checksum matched when the package was built or it wouldn't have built
> > for the maintainer, either. This means it's not a security issue, the only
> > way it could be considered critical. All it means is that upstream changed
> > something, only really affecting people trying to build from the PKGBUILDs.
> > Normally, I would make this low severity, as it really doesn't matter that
> > much.
> > 
> > Doug
> > 
> 
> To Doug,
> 
> While I am not accusing the packager of any misdeeds since another bug
> report indicates that there was an upstream change; a correct PKGBUILD
> should be able to be rebuilt. If the package cannot be rebuilt using the
> same PKGBUILD linked to upstream, how can one trust that there hasn't
> been some tampering with the package source outside of the PKGBUILD?
> 
> Regards,
> Mark

You can't. If upstream provides a checksum, that gives you some verification,
but since github doesn't, there's no way to verify any of it. That's either
when the maintainer built it or when you did. The checksum is pretty much
useless in this case.

Doug


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux