FS#50176 - [makepkg] Export MTREE file option

Attached to Project: Pacman
Opened by Hiroki Yamamoto (hirokiyamamoto) - Thursday, 28 July 2016, 14:12 GMT
Last edited by Allan McRae (Allan) - Saturday, 30 July 2016, 01:35 GMT
Task Type Feature Request
Category makepkg
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version 5.0.1
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Summary and Info:

Add an option to 'makepkg' to have it's MTREE file exported (uncompressed). This is in addition to the (already available) inclusion of the .MTREE file in the '.pkg.tar.xz'.

Possible export ideas:
- To the PKGDEST folder as .pkg.tar.xz.mtree
- To a NEWVARIABLE folder as .pkg.tar.xz.mtree
- To the same folder the PKGBUILD is stored in

Possible option names:
- --genmtree
- --gentree

Steps to Reproduce:

None.
This task depends upon

Closed by  Allan McRae (Allan)
Saturday, 30 July 2016, 01:35 GMT
Reason for closing:  Won't implement
Comment by Doug Newgard (Scimmia) - Thursday, 28 July 2016, 14:41 GMT
Why?
Comment by Hiroki Yamamoto (hirokiyamamoto) - Friday, 29 July 2016, 13:19 GMT
I'm currently post-extracting the .MTREE file out of the binary package using a combination of tar and gzip (due to double compression). This task would not be necessary if makepkg could be dictated to generate a .MTREE file in a similar fashion as one can dictate makepkg to sign a package and therefore generate a '.sig'. The use case for needing the .MTREE file is to extract all sha256 checksums and post-compare them to checksums of installed binaries at a later stage for integrity verification related purposes. So actually the real feature request here is the generation of a package specific checksum file containing SHA-2 checksums for packaged files.

As i'm currently already extracting the .MTREE file using a wrapper and then feeding it to sed, it is not, necessary, functionality and in addition to that, not necessarily functionality makepkg should be able to provide. However, I wanted to pitch the idea anyways just in case my specific use case wouldn't be as specific as i've initially believed it to be. Assuming backing for such an idea would not be overwhelming (according to some sources), i'll request a closure of the request leaving it referenced as a 'pitched idea' as it seems logical to generate a checksum file during package creation, instead of afterwards.
Comment by Andrew Gregory (andrewgregory) - Friday, 29 July 2016, 13:24 GMT
Maybe I misunderstood your use case, but I still do not understand why you are extracting the mtree file. The mtree file for installed packages is stored in the local database.
Comment by Hiroki Yamamoto (hirokiyamamoto) - Friday, 29 July 2016, 13:39 GMT
However secondary, because the locally available mtree files in '/var/lib/pacman' are only available after package installation, i'm extracting the .MTREE file directly from the binary packages files (after generation) as they are being generated on a single 'package build machine', but not necessarily installed on that same machine. Most importantly, it would be a better (security) practice generating a checksum file during package creation as this stage would be less prone to modification of checksums relative to a situation reading checksums from the local database. Especially if those checksums are post-stored in some sort of generally available read-only network-wide 'database'.
Comment by Andrew Gregory (andrewgregory) - Friday, 29 July 2016, 14:41 GMT
Building the mtree file requires building the package anyway, the only step you could save is the call to tar, but you seem to want the actual package too. So, I think it makes more sense to just copy the mtree file out of $pkgdir or extract it from the archive as you are doing now.

Loading...