Welcome to CRUX bug tracking.

FS#1400 - pkgmk: sign pre-install and post-install files too

Attached to Project: CRUX
Opened by Fun (fun) - Tuesday, 11 April 2017, 20:20 GMT
Last edited by Juergen Daubert (jue) - Monday, 22 May 2017, 14:05 GMT
Task Type Improvement
Category tools → pkgutils
Status Closed
Assigned To No-one
Operating System CRUX
Severity Low
Priority Normal
Reported Version 3.3
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No


See the patch attached.
The old pkgmk will fail on the new .signature files!!!
I've made the following tests:

pkgmk -cs
=======> Signature ok.

echo x >post-install
pkgmk -cs
=======> Signature ok.

pkgmk -rs
=======> Signature refreshed.
grep post-install .signature
grep: exit 1
pkgmk -cs
========> Signature ok.

pkgmk -us
=======> Signature updated.
grep post-install .signature
SHA256 (post-install) = 73cb3858a687a8494ca3323053016282f3dad39d42cf62ca4e79dda2aac7d9ac
pkgmk -cs
=======> Signature ok.

pkgmk.orig -cs
=======> ERROR: Signature mismatch found:
MISMATCH post-install
pkgmk: exit 10

   0001-pkgmk-include-pre-instal... (1.3 KiB)
This task depends upon

Closed by  Juergen Daubert (jue)
Monday, 22 May 2017, 14:05 GMT
Reason for closing:  Won't implement
Comment by Juergen Daubert (jue) - Wednesday, 12 April 2017, 09:26 GMT
Just a quick thought, might be that I've missed something:
wouldn't it more consistent and even easier to include the pre- and post-install files in the source=() array?
Comment by Fun (fun) - Wednesday, 12 April 2017, 10:04 GMT
That was the conversation flow on irc:
- sign pre/post
- sign all local
- add to source

Then tek replied with pre/post signing.

I made this patch thinking that someone might wait for it.

But, pkgmk it is showing its age, looking patched. If pkgmk will handle pre/post different than Pkgfile/.footprint will look inconsistent too. The argument that pre/post are not pkgmk related, but prt-get, will add some make-up to the inconsistency, still, as most of the users run them...

Personally, I'll sign all the local files automatically and copy to SRC all the local files besides the remote sources, with a couple of exceptions.
Comment by Juergen Daubert (jue) - Wednesday, 12 April 2017, 12:06 GMT
Sorry, but still I don't see the point.

Sure, the pre-, post-install scripts are not used by pkgmk but are also files not generated and/or maintained by pkgmk like .footprint or .signature which are both "helper"-files for pkgmk to guarantee a save and correct build of the port.

For me the install-scripts are files added by the maintainer of the port much more similar to a rc-script than to .footprint, .signature and .md5sum which are all generated by pkgmk.
Comment by Fun (fun) - Wednesday, 12 April 2017, 13:37 GMT
I might have a funny point of view :)

For me, every non dotfile from a port is a "source" (part of the final package, even the README can have commands executed with copy/paste).
All the sources must be signed.
Doing it automatically is better (it avoids the human errors).
Source variable should hold only non-local sources. Counting on a human to add local sources to that variable brings another class of human errors.

Comment by Juergen Daubert (jue) - Wednesday, 12 April 2017, 13:54 GMT
ok, but with that view, your current patch doesn't make sense, because it adds only the special case for install-scripts.
Following your advise we should add automatically everything but the dotfiles in the port directory, even the README and what else.
Comment by Fun (fun) - Wednesday, 12 April 2017, 14:23 GMT
Let's not get carried by the fun... :)

I might have misread tek on crux-devel channel, and attached the patch.

After you've commented, I've attached my personal fun view too :) - all for one and one for all.

Comment by Fredrik Rinnestam (frinnst) - Thursday, 13 April 2017, 00:26 GMT
I much prefer to have the scripts in the source array for what it's worth. It's a simple fix for each port.