FS#67194 - [vbam] use signed git tag

Attached to Project: Community Packages
Opened by T.J. Townsend (blakkheim) - Saturday, 04 July 2020, 21:47 GMT
Last edited by freswa (frederik) - Sunday, 13 September 2020, 18:17 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Maxime Gauduin (Alucryd)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
The vbam-sdl / vbam-wx packages have a "validpgpkeys" line, but the source URL does not actually make use of them. The attached patch switches to the signed version of the git tag.
   vbam.diff (0.7 KiB)
This task depends upon

Closed by  freswa (frederik)
Sunday, 13 September 2020, 18:17 GMT
Reason for closing:  Fixed
Additional comments about closing:  vbam 2.1.4-3
Comment by Doug Newgard (Scimmia) - Saturday, 04 July 2020, 21:59 GMT
It also switches to the name of the tag instead of the hash of the tag. Not good.
Comment by T.J. Townsend (blakkheim) - Saturday, 04 July 2020, 22:01 GMT
Is there a policy against using v{$pkgver}? I've seen it in use quite often.

If there is a simpler way to use the pgp-signed version of the hash, let me know and I'll redo it.
Comment by Doug Newgard (Scimmia) - Saturday, 04 July 2020, 22:10 GMT
It should work if the correct hash is used in the first place. It looks like it's using the hash of the commit right now instead of the hash of the tag. I'm actually surprised this works, I'm not sure it's supposed to.

Edit: Also, don't change the URL (removing .git), you invalidate previous clones.

Edit2: The hash is preferred because upstreams can't be trusted not to rewrite history. It's amazing how often it happens.
Comment by T.J. Townsend (blakkheim) - Saturday, 04 July 2020, 22:22 GMT
The source is not verified currently. When adding "?signed" to the current URL, or doing it like...

_commit=(09fbcbac07148ea32add848722dab34a7eb4f6b5) # v2.1.4
source=("git+https://github.com/visualboyadvance-m/visualboyadvance-m?signed#tag=${_commit}")

I still get:

visualboyadvance-m git repo ... SIGNATURE NOT FOUND

https://github.com/visualboyadvance-m/visualboyadvance-m/tags

Assuming the way in the original diff (which does verify the signature) is wrong, could you show the proper way to handle this? Thanks.
Comment by Doug Newgard (Scimmia) - Saturday, 04 July 2020, 22:25 GMT
because, as I said, the wrong hash is being used. The hash of the tag (8f4862de88de2f95866b7e501304f1e57a4e0abb) works fine.
Comment by T.J. Townsend (blakkheim) - Saturday, 04 July 2020, 22:33 GMT
Thank you for the hint. Let me know if this v2 patch is acceptable.
   vbam-v2.diff (0.7 KiB)
Comment by Doug Newgard (Scimmia) - Saturday, 04 July 2020, 22:36 GMT
You're still changing the URL. And the quoting.

Why would you call it _commit when it's not a commit? Why a separate variable at all?
Comment by T.J. Townsend (blakkheim) - Saturday, 04 July 2020, 22:44 GMT
How's this?
   vbam-v3.diff (0.7 KiB)
Comment by Doug Newgard (Scimmia) - Saturday, 04 July 2020, 22:50 GMT
Looks good.

Personally, I prefer to have the hash in a separate variable for ease of updating, but one universal rule of submitting patches is to not change the author's style.
Comment by T.J. Townsend (blakkheim) - Saturday, 08 August 2020, 00:50 GMT
Updated version for the current PKGBUILD.
   vbam.diff (0.7 KiB)

Loading...