search

kisslinux / kiss

KISS Linux - Package Manager
https://kisslinux.github.io
MIT License
464 stars 62 forks source link

[RFC] Skipping checksums #200

Closed konimex closed 3 years ago

konimex commented 4 years ago

Rationale

Checksums are very important to sources since it checks for source integrity upon download. However, in some cases, it might be desirable to support skip checksums (or just if one wants to skip all that annoyances, or if someone wants to extend kiss to support checking PGP signature for sources in their fork/implementation of the package manager and finding checksumming signature files overkill/excessive, or the tarball's sources checksums is ever changing (e.g. sources from googlecode) and we have no more alternative source to turn to (other than using git sources, but in worst cases, even git sources are not available)).

Proposal

My changes are not directed directly to the package manager but rather the packaging format.

I'm not going to propose yet another environment variable approach, since:

  1. It's not a package format change
  2. I'm not a fan of that approach
  3. I don't think it's viable for multiple sources scenario if you just want to skip verification for one source.

So I'm going to propose changes specifically for checksums file.

For example:

sources

https://code.google.com/random-source.tar.gz
https://github.com/user/src/random-source2.tar.gz

checksums

SKIP
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

SKIP should be manually inputted by user.

If the package manager detects SKIP for certain files, it will skip over that file and check the checksums for other files.

What do you think?

dylanaraps commented 4 years ago

This sounds good to me. Will do.

dylanaraps commented 3 years ago

Done. Will rewrite the whole verification process soon so that a little message is displayed for each skipped source. :+1: