You are not logged in.
Here's what I get:
==> Building and installing package
==> Making package: leiningen 1:2.2.0-1 (Fri Aug 16 19:48:01 EDT 2013)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Downloading lein...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 11440 100 11440 0 0 65861 0 --:--:-- --:--:-- --:--:-- 66127
==> Validating source files with sha1sums...
lein ... FAILED
==> ERROR: One or more files did not pass the validity check!
==> ERROR: Makepkg was unable to build leiningen.
Now, I did do some research, and it seems that if I do:
makepkg -g
That will give me the current sha, but I'm reluctant to use it:
If the github repo is trusted (which seems to be the case), why isn't the PKGBUILD updated automatically?
I'm guessing there must be a good reason, and I would like to clear that up before I continue.
Thanks.
Last edited by Goran (2013-08-17 03:50:31)
Offline
Repeat without using an AUR helper and post at https://aur.archlinux.org/packages/leiningen/. You shouldn't need to run makepkg -g here and doing so completely undermines the security/validity checking purpose of using checksums in the first place.
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
I get
==> Making package: leiningen 1:2.2.0-1 (Sat Aug 17 02:23:47 CEST 2013)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Downloading lein...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 11440 100 11440 0 0 18067 0 --:--:-- --:--:-- --:--:-- 18101
==> Validating source files with sha1sums...
lein ... FAILED
==> ERROR: One or more files did not pass the validity check!
when using pure makepkg.
Offline
Ok, so I should just replace the existing hash with the one generated by makepkg -g?
Also, I guess it would be a good idea to leave a comment for the maintainer, to update the file?
But again, going back to my original question: If the repo is trusted, why isn't PKGBUILD updated automatically?
I mean, with an active project like leiningen, that seems like a necessity, in order to avoid these issues.
Last edited by Goran (2013-08-17 01:56:11)
Offline
So ... you're first two questions are asking if cfr was trying to mislead you? No, you probably shouldn't just replace the hash; yes you should leave a comment.
And what do you mean about it being a trusted repo? PKGBUILDs don't get updated automatically - they are updated when the maintainer updates them. This can be triggered by the maintainer being informed that such a problem exists.
Last edited by Trilby (2013-08-17 02:03:13)
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
The source points github:
source=('https://raw.github.com/technomancy/leiningen/stable/bin/lein')
It's not a "snap-shot" that was generated by the maintainer, as a "known to be good" copy. So, doesn't that imply that he trusts the source as "good"?
Unless the PKGBUILD is re-generated whenever the git repo updates, the sha1sums will always be outdated.
If this is something that cannot, or should not be automated, then what should the user do (assuming that I can't, or otherwise don't want to wait for the maintainer to update)?
Offline
It's not a "snap-shot" that was generated by the maintainer, as a "known to be good" copy. So, doesn't that imply that he trusts the source as "good"?
Read the last comment https://aur.archlinux.org/packages/leiningen/ made by the current maintainer.
Offline
Read the last comment https://aur.archlinux.org/packages/leiningen/ made by the current maintainer.
Yes, I noticed his last comment, and I understood (I think). However, I don't see how it implies a solution for my current problem.
Last edited by Goran (2013-08-17 02:51:27)
Offline
It's an explanation. That is, no the sha1sums will not be wrong "whenever the git repo updates" but only when the stable branch is updated. And the use of that source is just like the use of any other upstream source - the package maintainer is not pointing to the git repo generally but only to a particular stable branch of it.
I think perhaps you are just trying to use the wrong package. Perhaps you really want leiningen2-git?
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
no the sha1sums will not be wrong "whenever the git repo updates" but only when the stable branch is updated. And the use of that source is just like the use of any other upstream source - the package maintainer is not pointing to the git repo generally but only to a particular stable branch of it.
That's what I meant - When the stable branch is updated.
I think perhaps you are just trying to use the wrong package. Perhaps you really want leiningen2-git?
... No.
I want to use the stable, but I can't, because of the problems already outlined.
Offline
That's what I meant - When the stable branch is updated.
And in that way it is like every other package in the aur. If/when the upstream source changes, the PKGBUILD has to be updated. If you want to avoid this, you should use the -git version.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
If you want to avoid this, you should use the -git version.
I looked at that (I assume you mean leiningen2-git), and I was surprised to find out that it actually gets the sources from stable (just like leiningen).
I think leiningen should draw from stable (without sha1sums, just like current leiningen2-git), and then leiningen-git should draw from master.
Doesn't that make more sense? It would also avoid these "outdated" issues.
I was just trying to understand the reasoning behind the current setup, but, my problem is now solved, so I'll mark the thread accordingly.
Thanks everyone.
Offline
Oye ... I just looked at the git pkgbuild. It it works it works - but I cringed on seeing a 'curl' in the build function that bypasses makepkg's checksum - also it should not be named -git as it is not a vcs build.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
I cringed on seeing a 'curl' in the build function that bypasses makepkg's checksum
Yea, and also, dependencies are not defined, so it's not really a good alternative to leiningen.
In either case, leiningen is what really needs to be fixed, in my view, because that's what the github wiki points to: https://github.com/technomancy/leiningen/wiki/Packaging
And I think I know the perfect way to do it: Instead of drawing from the floating stable, why not simply draw from a specific commit in stable?
That seems like a perfect solution, because that's essentially a snap-shot, which won't change until the package maintainer decides to update the pkgbuild.
What do you think?
Offline
Unfortunately, I don't think it works that way. All these PKGBUILDs are doing is grabbing a script and dropping it in /usr/bin. The script is then what downloads and installs everything.
I hate software like this. It's a nightmare to package.
Offline