Enhance livecheck to check not only version but also checksums

Ryan Schmidt ryandesign at macports.org
Mon Mar 19 23:59:29 UTC 2018


It's been pointed out before than when updating a port to a new version, one should not just update the version and checksums in the portfile; one should also verify at least one of those checksums with the ones published by the developers -- assuming the developers publish them.

It would be great if livecheck could help us with that. So in addition to specifying the current livecheck.url and livecheck.regex for extracting an available new version number, there should be new options where a port could specify a url for a page where that new version's checksums are published, and regexes for extracting them.

Once that's done, it makes it easier to implement a better "bump" command -- one that can use any published checksums and compute the rest, and warn if no checksums were published.

https://trac.macports.org/ticket/53851

One possibile interface:

default livechecksum.type {none}
default livechecksum.url {${livecheck.url}}
default livechecksum.ignore_sslcert {${livecheck.ignore_sslcert}

default livechecksum.md5 {the first distfile's md5}
default livechecksum.md5.url {${livechecksum.url}}
default livechecksum.md5.ignore_sslcert {${livechecksum.ignore_sslcert}}
default livechecksum.md5.regex {""}

(repeat for the other checksum types sha1, rmd160, sha256, sha512, and maybe size)

To support the situation where the checksums are in a file whose name contains the new version number (for example phpMyAdmin, which publishes the sha256 checksum of the file phpMyAdmin-4.7.9-source.tar.xz in a separate file called phpMyAdmin-4.7.9-source.tar.xz.sha256) we might need to modify livecheck so that the updated version number extracted from the livecheck.regex is made available to the port in a new read-only option, perhaps livecheck.new_version. Then the portfile author could use that in constructing, say, livechecksum.sha256.url.



More information about the macports-dev mailing list