Arch Linux User Repository

Cool, thanks. 12.0.1 will be out soon with that change.

updpkgsums only updates sums already there. The easiest way is to add sha256sums=(x) and updpkgsums will fill them out.

@simonzack, can you provide docs on how to do that? My release tooling just runs updpkgsums and this is its behavior.

Can the checksum be switched from MD5 to SHA-256? MD5 is obsolete now.

[W]hy are you using an upstream packaged bundle rather than installing directly from source-code tags

Downgrade's release is not just source files. We process script source in order to inline dynamic values such as DOWNGRADE_VERSION, we process translation files, and we include man-pages that are generated from markdown sources.

https://github.com/archlinux-downgrade/downgrade/blob/9c0e29a42f74f4aa75daa36bbfdf4aa6da6c1bc0/justfile#L7-L9

In order to release using the generated source tags, we'd need to commit the outputs of such processes, which comes with other trade-offs.

This way also works better with semantic-release, which I prefer generally.

it will just increase the attack surface and make obfuscations easier ... this is exactly what was exploited in the XZ backdoor

Do you have a link about this? I'd love to understand why downloading a tar file from a GitHub releases APIs is less secure than from their source code contents APIs.

I would suggest using b2sum rather than md5sum.

Thanks, patches welcome.

I know that its only shell scripts, but why are you using an upstream packaged bundle rather than installing directly from source-code tags ("${url}/archive/refs/tags/v${pkgver}.tar.gz").

By using an upstream packaged bundle rather than directly from GitHub's git tag URL, it will just increase the attack surface and make obfuscations easier.

I'm not saying that there is anything suspicious currently, but this is exactly what was exploited in the XZ backdoor.

Also, I would suggest using b2sum rather than md5sum.

PKGBuild does not seem suspicious. I checked it and havent found anything that could harm your PC. It works and thank you for making this it helped me a lot

Been using this a "couple" of time and this NEVER happened and now it did. I feel like a fool and the reality of this shows I am ;)

Just for a test, as you replied, I tried this script again for test for a kernel 'downgrade' and I got what I wanted.

WTF did I not do that last, like, 20 times?

SO sorry for this. Just shows that I'm an idiot and should probably leave the Linux-thing.

PS. I will NEVER leave LINUX <3 <3 <3

SO SORRY!!!!

easier to get the correct package without knowing the exact name of it

Hmm I don't know if I totally follow what you mean. Can you be more specific?

Like looking for a kernel downgrade, just type linux and it shows just those

This seems to be the behavior as far as I can tell.

Feel free to open an Issue on GitHub too, I'll probably be more responsive.

I'm asking for a small(?) feature-add :P

As of this fzf thing out there, is there a change you could add that so it's easier to get the correct package without knowing the exact name of it. I was thinking of cloning this and do it but I don't have much free time and this is YOUR thing so...

Like looking for a kernel downgrade, just type linux and it shows just those etc.

Love this tho :D