Pacaur output suggests integrity checks are skipped
Opened this issue · 3 comments
Deleted user commented
Version
~ $ pacaur -v
pacaur 4.8.4
Description
Pacaur skips integrity checks for all AUR packages. This is serious issue, because important security feature seems to be disabled by default and there is no clear information why or how to enable it.
Makepkg output
$AURDEST/pacaur $ LC_ALL=en_GB.UTF-8 makepkg -f
==> Making package: pacaur 4.8.4-1 (Sat 02 Mar 2019 16:49:11 CET)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Found pacaur-4.8.4.tar.gz
==> Validating source files with sha256sums...
pacaur-4.8.4.tar.gz ... Passed
==> Extracting sources...
-> Extracting pacaur-4.8.4.tar.gz with bsdtar
==> Removing existing $pkgdir/ directory...
==> Starting build()...
Generating documentation...
==> Entering fakeroot environment...
==> Starting package()...
Installing...
==> Tidying install...
-> Removing libtool files...
-> Purging unwanted files...
-> Removing static library files...
-> Stripping unneeded symbols from binaries and libraries...
-> Compressing man and info pages...
==> Checking for packaging issues...
==> Creating package "pacaur"...
-> Generating .PKGINFO file...
-> Generating .BUILDINFO file...
-> Generating .MTREE file...
-> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: pacaur 4.8.4-1 (Sat 02 Mar 2019 16:49:12 CET)
Pacaur output
Notice two warnings:
==> WARNING: Skipping dependency checks.
==> WARNING: Skipping all source file integrity checks.
~ $ LC_ALL=en_GB.UTF-8 pacaur -S pacaur
:: Package pacaur not found in repositories, trying AUR...
:: resolving dependencies...
:: looking for inter-conflicts...
:: pacaur-4.8.4-1 is up to date -- reinstalling
AUR Packages (1) Old Version New Version
aur/pacaur 4.8.4-1 4.8.4-1
:: Proceed with installation? [Y/n]
:: Retrieving package(s)...
update complete: /home/ill/src/packages/aur/pacaur
:: pacaur build files are up-to-date -- skipping
:: Checking pacaur integrity...
==> Making package: pacaur 4.8.4-1 (Sat 02 Mar 2019 16:49:51 CET)
==> Retrieving sources...
-> Found pacaur-4.8.4.tar.gz
==> Validating source files with sha256sums...
pacaur-4.8.4.tar.gz ... Passed
:: Preparing pacaur...
==> Making package: pacaur 4.8.4-1 (Sat 02 Mar 2019 16:49:51 CET)
==> WARNING: Skipping dependency checks.
==> Retrieving sources...
-> Found pacaur-4.8.4.tar.gz
==> WARNING: Skipping all source file integrity checks.
==> Extracting sources...
-> Extracting pacaur-4.8.4.tar.gz with bsdtar
==> Sources are ready.
:: Building pacaur package(s)...
==> Making package: pacaur 4.8.4-1 (Sat 02 Mar 2019 16:49:52 CET)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> WARNING: Using existing $srcdir/ tree
==> Removing existing $pkgdir/ directory...
==> Starting build()...
Generating documentation...
==> Entering fakeroot environment...
==> Starting package()...
Installing...
==> Tidying install...
-> Removing libtool files...
-> Purging unwanted files...
-> Removing static library files...
-> Stripping unneeded symbols from binaries and libraries...
-> Compressing man and info pages...
==> Checking for packaging issues...
==> Creating package "pacaur"...
-> Generating .PKGINFO file...
-> Generating .BUILDINFO file...
-> Generating .MTREE file...
-> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: pacaur 4.8.4-1 (Sat 02 Mar 2019 16:49:53 CET)
Morganamilo commented
That's not true. One call to makepkg verifies the sources, then the following calls skip verification because that's already been done.
Deleted user commented
Ok, looks you are right, but it still is an (ux) issue, because I don't think user needs to know how many times makepkg is called internally... That bold upper-case warnings give impression that integrity and dependency checks are really skipped.
E5ten commented
There is no sane way to remove this output that wouldn't be worse than the mild confusion it has the potential to cause.