You are not logged in.

#1 2013-08-17 00:04:53

Goran
Member
Registered: 2012-01-24
Posts: 53

[SOLVED] Yaourt: trying to install leiningen - validity check fails.

Here's what I get:

==> Building and installing package
==> Making package: leiningen 1:2.2.0-1 (Fri Aug 16 19:48:01 EDT 2013)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Downloading lein...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 11440  100 11440    0     0  65861      0 --:--:-- --:--:-- --:--:-- 66127
==> Validating source files with sha1sums...
    lein ... FAILED
==> ERROR: One or more files did not pass the validity check!
==> ERROR: Makepkg was unable to build leiningen.

Now, I did do some research, and it seems that if I do:

makepkg -g

That will give me the current sha, but I'm reluctant to use it:

If the github repo is trusted (which seems to be the case), why isn't the PKGBUILD updated automatically?

I'm guessing there must be a good reason, and I would like to clear that up before I continue.

Thanks.

Last edited by Goran (2013-08-17 03:50:31)

Offline

#2 2013-08-17 00:21:34

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 5,662

Re: [SOLVED] Yaourt: trying to install leiningen - validity check fails.

Repeat without using an AUR helper and post at https://aur.archlinux.org/packages/leiningen/. You shouldn't need to run makepkg -g here and doing so completely undermines the security/validity checking purpose of using checksums in the first place.


How To Ask Questions The Smart Way | Help Vampires

Arch Linux | x86_64 | GPT | EFI boot | grub2 | systemd | LVM2 on LUKS
Lenovo x121e | Intel(R) Core(TM) i3-2367M CPU @ 1.40GHz GenuineIntel | Intel Centrino Wireless-N 1000 | US keyboard with Euro | 320G 7200 RPM Seagate HDD

Offline

#3 2013-08-17 00:29:37

karol
Archivist
Registered: 2009-05-06
Posts: 25,430

Re: [SOLVED] Yaourt: trying to install leiningen - validity check fails.

I get

==> Making package: leiningen 1:2.2.0-1 (Sat Aug 17 02:23:47 CEST 2013)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Downloading lein...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 11440  100 11440    0     0  18067      0 --:--:-- --:--:-- --:--:-- 18101
==> Validating source files with sha1sums...
    lein ... FAILED
==> ERROR: One or more files did not pass the validity check!

when using pure makepkg.

Offline

#4 2013-08-17 01:55:41

Goran
Member
Registered: 2012-01-24
Posts: 53

Re: [SOLVED] Yaourt: trying to install leiningen - validity check fails.

Ok, so I should just replace the existing hash with the one generated by makepkg -g?

Also, I guess it would be a good idea to leave a comment for the maintainer, to update the file?

But again, going back to my original question: If the repo is trusted, why isn't PKGBUILD updated automatically?

I mean, with an active project like leiningen, that seems like a necessity, in order to avoid these issues.

Last edited by Goran (2013-08-17 01:56:11)

Offline

#5 2013-08-17 01:59:28

Trilby
Forum Moderator
From: Massachusetts, USA
Registered: 2011-11-29
Posts: 13,992
Website

Re: [SOLVED] Yaourt: trying to install leiningen - validity check fails.

So ... you're first two questions are asking if cfr was trying to mislead you?  No, you probably shouldn't just replace the hash; yes you should leave a comment.

And what do you mean about it being a trusted repo?  PKGBUILDs don't get updated automatically - they are updated when the maintainer updates them.  This can be triggered by the maintainer being informed that such a problem exists.

Last edited by Trilby (2013-08-17 02:03:13)


InterrobangSlider
• How's my coding? See this page.
• How's my moderating? Feel free to email any concerns, complaints, or objections.

Offline

#6 2013-08-17 02:32:06

Goran
Member
Registered: 2012-01-24
Posts: 53

Re: [SOLVED] Yaourt: trying to install leiningen - validity check fails.

The source points github:

source=('https://raw.github.com/technomancy/leiningen/stable/bin/lein')

It's not a "snap-shot" that was generated by the maintainer, as a "known to be good" copy. So, doesn't that imply that he trusts the source as "good"?

Unless the PKGBUILD is re-generated whenever the git repo updates, the sha1sums will always be outdated.

If this is something that cannot, or should not be automated, then what should the user do (assuming that I can't, or otherwise don't want to wait for the maintainer to update)?

Offline

#7 2013-08-17 02:35:05

karol
Archivist
Registered: 2009-05-06
Posts: 25,430

Re: [SOLVED] Yaourt: trying to install leiningen - validity check fails.

Goran wrote:

It's not a "snap-shot" that was generated by the maintainer, as a "known to be good" copy. So, doesn't that imply that he trusts the source as "good"?

Read the last comment https://aur.archlinux.org/packages/leiningen/ made by the current maintainer.

Offline

#8 2013-08-17 02:50:53

Goran
Member
Registered: 2012-01-24
Posts: 53

Re: [SOLVED] Yaourt: trying to install leiningen - validity check fails.

karol wrote:

Read the last comment https://aur.archlinux.org/packages/leiningen/ made by the current maintainer.

Yes, I noticed his last comment, and I understood (I think). However, I don't see how it implies a solution for my current problem.

Last edited by Goran (2013-08-17 02:51:27)

Offline

#9 2013-08-17 02:55:56

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 5,662

Re: [SOLVED] Yaourt: trying to install leiningen - validity check fails.

It's an explanation. That is, no the sha1sums will not be wrong "whenever the git repo updates" but only when the stable branch is updated. And the use of that source is just like the use of any other upstream source - the package maintainer is not pointing to the git repo generally but only to a particular stable branch of it.

I think perhaps you are just trying to use the wrong package. Perhaps you really want leiningen2-git?


How To Ask Questions The Smart Way | Help Vampires

Arch Linux | x86_64 | GPT | EFI boot | grub2 | systemd | LVM2 on LUKS
Lenovo x121e | Intel(R) Core(TM) i3-2367M CPU @ 1.40GHz GenuineIntel | Intel Centrino Wireless-N 1000 | US keyboard with Euro | 320G 7200 RPM Seagate HDD

Offline

#10 2013-08-17 03:07:02

Goran
Member
Registered: 2012-01-24
Posts: 53

Re: [SOLVED] Yaourt: trying to install leiningen - validity check fails.

cfr wrote:

no the sha1sums will not be wrong "whenever the git repo updates" but only when the stable branch is updated. And the use of that source is just like the use of any other upstream source - the package maintainer is not pointing to the git repo generally but only to a particular stable branch of it.

That's what I meant - When the stable branch is updated.

I think perhaps you are just trying to use the wrong package. Perhaps you really want leiningen2-git?

... No.

I want to use the stable, but I can't, because of the problems already outlined.

Offline

#11 2013-08-17 03:10:30

Trilby
Forum Moderator
From: Massachusetts, USA
Registered: 2011-11-29
Posts: 13,992
Website

Re: [SOLVED] Yaourt: trying to install leiningen - validity check fails.

Goran wrote:

That's what I meant - When the stable branch is updated.

And in that way it is like every other package in the aur.  If/when the upstream source changes, the PKGBUILD has to be updated.  If you want to avoid this, you should use the -git version.


InterrobangSlider
• How's my coding? See this page.
• How's my moderating? Feel free to email any concerns, complaints, or objections.

Offline

#12 2013-08-17 03:48:56

Goran
Member
Registered: 2012-01-24
Posts: 53

Re: [SOLVED] Yaourt: trying to install leiningen - validity check fails.

If you want to avoid this, you should use the -git version.

I looked at that (I assume you mean leiningen2-git), and I was surprised to find out that it actually gets the sources from stable (just like leiningen).

I think leiningen should draw from stable (without sha1sums, just like current leiningen2-git), and then leiningen-git should draw from master.

Doesn't that make more sense? It would also avoid these "outdated" issues.

I was just trying to understand the reasoning behind the current setup, but, my problem is now solved, so I'll mark the thread accordingly.

Thanks everyone.

Offline

#13 2013-08-17 04:05:31

Trilby
Forum Moderator
From: Massachusetts, USA
Registered: 2011-11-29
Posts: 13,992
Website

Re: [SOLVED] Yaourt: trying to install leiningen - validity check fails.

Oye ... I just looked at the git pkgbuild.  It it works it works - but I cringed on seeing a 'curl' in the build function that bypasses makepkg's checksum - also it should not be named -git as it is not a vcs build.


InterrobangSlider
• How's my coding? See this page.
• How's my moderating? Feel free to email any concerns, complaints, or objections.

Offline

#14 2013-08-17 04:24:45

Goran
Member
Registered: 2012-01-24
Posts: 53

Re: [SOLVED] Yaourt: trying to install leiningen - validity check fails.

Trilby wrote:

I cringed on seeing a 'curl' in the build function that bypasses makepkg's checksum

Yea, and also, dependencies are not defined, so it's not really a good alternative to leiningen.

In either case, leiningen is what really needs to be fixed, in my view, because that's what the github wiki points to: https://github.com/technomancy/leiningen/wiki/Packaging

And I think I know the perfect way to do it: Instead of drawing from the floating stable, why not simply draw from a specific commit in stable?

That seems like a perfect solution, because that's essentially a snap-shot, which won't change until the package maintainer decides to update the pkgbuild.

What do you think?

Offline

#15 2013-08-17 04:29:42

Scimmia
Bug Wrangler
Registered: 2012-09-01
Posts: 5,071

Re: [SOLVED] Yaourt: trying to install leiningen - validity check fails.

Unfortunately, I don't think it works that way. All these PKGBUILDs are doing is grabbing a script and dropping it in /usr/bin. The script is then what downloads and installs everything.

I hate software like this. It's a nightmare to package.

Offline

Board footer

Powered by FluxBB