Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#34816 - [namcap] False positive on chromium-dev

Attached to Project: Arch Linux
Opened by gadget3000 (gadget3000) - Tuesday, 16 April 2013, 19:20 GMT
Last edited by Dave Reisner (falconindy) - Wednesday, 30 October 2013, 18:12 GMT
Task Type Bug Report
Category Arch Projects
Status Closed
Assigned To Rémy Oudompheng (remyoudompheng)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
The chomium-dev PKGBUILD currently builds up it's source and sha1sum arrays (eg source+=(...)), plus a source and sha1sum is currently commented out.
namcap throws the error "PKGBUILD (chromium-dev) E: Not enough sha1sums: 13 needed", even though the number of sha1sums is correct.

Additional info:
* package version(s)
* config and/or log files etc.
chromium-dev PKGBUILD attached
namcap version: 3.2.5-1

Steps to reproduce:
Run `namcap PKGBUILD` on the chromium-dev PKGBUILD
   PKGBUILD (15.8 KiB)
This task depends upon

Closed by  Dave Reisner (falconindy)
Wednesday, 30 October 2013, 18:12 GMT
Reason for closing:  Not a bug
Additional comments about closing:  PKGBUILD bug, not namcap.
Comment by Gustavo Alvarez (sl1pkn07) - Wednesday, 17 April 2013, 10:22 GMT
the problem is for :

_sha1_naclsdk_linux="$(curl -sL "http://gsdview.appspot.com/nativeclient-archive2/toolchain/${_toolchains_rev}/naclsdk_linux_x86.tgz.sha1hash")"
_sha1_toolchain_linux="$(curl -sL "http://gsdview.appspot.com/nativeclient-archive2/x86_toolchain/r${_toolchains_rev}/toolchain_linux_x86.tar.bz2.sha1hash")"
_sha1_naclsdk_pnacl_linux="$(curl -sL "http://gsdview.appspot.com/nativeclient-archive2/toolchain/${_toolchains_rev}/naclsdk_pnacl_linux_x86.tgz.sha1hash")"

sha1sums+=("${_naclsdk_nacl_sha1sum}"
# "${_naclsdk_pnacl_sha1sum}"
"${_naclsdk_toolchain_sha1sum}")

namcap not execute code, and search 40 digit (betheen 0-9 and a-f)

the comment out has nothing to do
Comment by Jan de Groot (JGC) - Wednesday, 17 April 2013, 22:12 GMT
This is not something we should even try to fix. Namcap doesn't execute the bash code in pkgbuilds, but this package takes insanity to the next level by downloading checksums using curl. How can you be sure that the source and checksum is what the maintainer of the package initially checked in?
Comment by Gustavo Alvarez (sl1pkn07) - Wednesday, 17 April 2013, 22:25 GMT
i'am the maintainer of this package

https://aur.archlinux.org/packages/chromium-dev/
https://aur.archlinux.org/packages/ch/chromium-dev/PKGBUILD

get sha1sums directly from google servers

have use this method in this package since version 14 (+/-) (before with wget and cat lol). never failed
Comment by Jan de Groot (JGC) - Friday, 19 April 2013, 08:07 GMT
Your method defeats the purpose of checksums. If someone replaces the files on the server by something else, your PKGBUILD can build a completely different package without anyone noticing. If someone manages to hack a server and insert a trojan there, then your PKGBUILD will silently fetch the new checksum and start building an infected version of chromium.
Comment by Gustavo Alvarez (sl1pkn07) - Friday, 19 April 2013, 10:49 GMT
then, for example, RPM distros have the same hole, because the checksums stored in the metadata file upload in the respective repository

like http://dl.google.com/linux/chrome/rpm/stable/x86_64/repodata/filelists.xml.gz

i belive if the google ship the sha1sums file in the download server is for something (my english is bad, sorry for this)

we must also take very fat balls to hack google....
Comment by Jan de Groot (JGC) - Friday, 19 April 2013, 11:42 GMT
Checksums have two purposes: validating that your download was correct, and validating that your download is the same as the last time you downloaded it. Your method is only good enough to validate that your download isn't corrupt, but your method doesn't warn you in any way that something has changed since the last download.

Anyways, this is not something that should get fixed in namcap. Nice for you that it works because makepkg sources your PKGBUILD and executes your variable code, but checksum validation is not designed this way.
Comment by Gustavo Alvarez (sl1pkn07) - Friday, 19 April 2013, 12:24 GMT
in ths case, this method working like expected. dowload exactly version need and check exactly checksum of this targzs

sorry for the offtopic

on ontopic, yes, the "problem" is the pkgbuild, not the namcap

Loading...