Add install scriptlet checksums to BUILDINFO file
According to man (5) PKGBUILD
, the install scriptlets do not need to be part of the source() array. This means that changes can creep in, breaking the package uniqueness or the reproducibilty.
Here are a couple of uses-cases that brought me here.
Reproducible, broken uniqueness:
- package X was exported via asp and build
- intentional changes to the
.install
file were made -
.install
changes were committed in git - pkgrel wasn't updated
- package was rebuild
The new packages bears the same pkgver/pkgrel, yet different contents.
Unique, non reproducible
- package Y was exported via asp and build
- intentional changes to the
.install
file were made -
.install
changes were not committed in git - pkgrel was updated and committed in git
- package was rebuild
The new packages bears the distinct pkgver/pkgrel, yet is not reproducible.
Happy to prepare some patches, although I'm a bit split what's the best way to handle this. Mandate scritlets in sources()
(and by extension have their checksum), add install_sha256sum
and friends, other?