Enhance livecheck to check not only version but also checksums

Mojca Miklavec mojca at macports.org
Tue Mar 20 14:26:01 UTC 2018


On 20 March 2018 at 00:59, Ryan Schmidt wrote:
> It's been pointed out before than when updating a port to a new version, one should not just update the version and checksums in the portfile; one should also verify at least one of those checksums with the ones published by the developers -- assuming the developers publish them.
>
> It would be great if livecheck could help us with that. So in addition to specifying the current livecheck.url and livecheck.regex for extracting an available new version number, there should be new options where a port could specify a url for a page where that new version's checksums are published, and regexes for extracting them.
>
> Once that's done, it makes it easier to implement a better "bump" command -- one that can use any published checksums and compute the rest, and warn if no checksums were published.
>
> https://trac.macports.org/ticket/53851
>
> One possibile interface:
>
> default livechecksum.type {none}
> default livechecksum.url {${livecheck.url}}
> default livechecksum.ignore_sslcert {${livecheck.ignore_sslcert}
>
> default livechecksum.md5 {the first distfile's md5}
> default livechecksum.md5.url {${livechecksum.url}}
> default livechecksum.md5.ignore_sslcert {${livechecksum.ignore_sslcert}}
> default livechecksum.md5.regex {""}
>
> (repeat for the other checksum types sha1, rmd160, sha256, sha512, and maybe size)

Do you also want to support signatures then?
Public keys are pretty long though, but they usually don't change.

One example: https://waf.io

Mojca


More information about the macports-dev mailing list