You are not logged in.
Pages: 1
I'm working on learning how to build a package as one that I need is orphaned and out of date. The older PKGBUILD had an md5sums entry. As I understand this, that is to ensure that the source downloaded is the real thing. With this package, there is no md5sums information on the website that I can find. If I download it and generate the md5sums (not something I know how to do, but I understand it can be done), there's really no security because how do I know that what I downloaded is correct in the first place? How do you get around this issue? Or am I missing the boat here entirely?
There are also a couple patches in the old PKGBUILD, I'm not sure where those come from and so not sure what to do with them. I don't find anything like that on the source site.
Offline
md5sums are primarily for verification that the file was downloaded correctly, they are not really a security solution. Patches are not uncommon, and the only way to check what they do is to read the code.
Offline
I'm working on learning how to build a package as one that I need is orphaned and out of date. The older PKGBUILD had an md5sums entry. As I understand this, that is to ensure that the source downloaded is the real thing. With this package, there is no md5sums information on the website that I can find. If I download it and generate the md5sums (not something I know how to do, but I understand it can be done), there's really no security because how do I know that what I downloaded is correct in the first place? How do you get around this issue? Or am I missing the boat here entirely?
There are also a couple patches in the old PKGBUILD, I'm not sure where those come from and so not sure what to do with them. I don't find anything like that on the source site.
If it is a package that lives in core or extra, then you can find older versions of the PKGBUILDs here: http://repos.archlinux.org
Last edited by Mr.Elendig (2009-03-07 11:50:11)
Evil #archlinux@libera.chat channel op and general support dude.
. files on github, Screenshots, Random pics and the rest
Offline
So how do I know if the patch is still needed with the newer source? I'm not a programmer, and while I looked at the patch, other than the comments it's not something I understand.
Offline
In some cases patches are needed to compile the source, in other cases patches change/add functioning of the program. Patches can be also used to change how the program is built, i.e. where the binaries, manpages go, etc. Sometimes it's possible to tell what a patch is supposed to be doing based on the filename of the patch. It's hard to say in general. What package are you talking about?
Offline
I'd say - try to compile without any patches, if something doesn't go as expected, try to find a patch that fixes it. Usually you can google some patches up.
By the way - generating md5sums is as easy as 'md5sum <filename>'.
Offline
So how do I know if the patch is still needed with the newer source? I'm not a programmer, and while I looked at the patch, other than the comments it's not something I understand.
If you try to apply a patch that isn't needed anymore, or doesn't work, it will show up before the system configures anything. So watch the output as the package starts the building process. It's also helpful after patch lines to add "|| return 1". This will break the building process in case of failure.
Offline
I'm working on lirc and lirc-utils. I appreciate the information.
Offline
With lirc packages I would just try to recompile without any patches, using the latest version of the code. It should build without any problems on the current kernel version. If it doesn't build then you can try with the patches.
Offline
Pages: 1