Hi. I don’t know how to make this AUR install with manual intervention. I did manage to get the hash from the tar file on thunderbirds’ website, but no clue what to do after that.
I would wait for the maintainer to fix it, but it’s been a few days and I need my email now. I would really like to download this from the AUR rather than setting it up from the tarball instead. Specifically for the benefit of future updates.
I’ve always used the beta and enjoyed it, but I just got a new computer and my bad luck during setup this AUR has got this issue. I’ve never had to go through the process of manual intervention on an AUR, so I thought I would ask here, hoping to get educated on the process.
I did give a crack at it before posting here, but I failed. I looked at the terminal output of the AUR install, and it appeared the tar file didn’t have the current checksum, so I downloaded the tarball from thunderbirds site and got the new checksum, but I don’t know what to do with it and how to further proceed.
Flathub has a flatpak of the public/ga/released version.
If the OP sticks with beta, that may bring breakage, obviously. I don’t think the Thunderbird devs mean to have the beta version used for long. But maybe when they are approaching a release. It’s complicated.
Can you explain this a bit further. Just so i understand it. So you would download the package build in a temp dir. Then open a terminal in that dir and run this command? Or can you do it on the fly if you try installing an AUR package and need to do this?
When you download a pkg from AUR, e.g. paru -G librewolf, the ckecksums in the PKGBUILD should be ok. But if you manually change or add a source into the PKGBUILD you have a mismatch of checksums and makepkg will fail. In that case you have to run updpkgsums first. This will download all sources and update all checksums.
I’ve never done this so still confused a little about (manually change or add a source). I have before with spotify change the sum while running an install on the AUR package by editing it. I guess maybe the word source is throwing me off? I’m not that well versed with package build. Editing it i had no problem with but i just never used updpkgsums either.
Please excuse me @ricklinux if I’ve misunderstood what you say. I know you know your stuff.
Just a clarification. With the AUR one is downloading a recipe (PKGBUILD) for an Arch package. An Arch package is then built on the user’s system. I acknowledge you may have already implied this with “package build [script]” (aka PKGBUILD).
The recipe may draw on various components, such as dependencies already existing within official repositories, or the AUR (listed under depends and makedepends).
If not available there though, it can pull in components from pretty much any other source.
This is source as in a location-of-origin, not source as in source-code, although it could include source-code and various other things. It could include a Git repository containing source-code (to be compiled locally) as is often the case with open-source AUR packages not labelled -bin, or pre-compiled binaries, or images and icons, patches, key files, PDFs with licenses, whatever.
Multiple source entries can be specified, and respectively, multiple checksums can be defined to verify the integrity of those source entries (sha512sums in the context of this thread).
All i know about package build is using AUR to install. But what i was pointing out is that i have edited the package the odd time such as with spotify if it doesn’t have the right key or checksum and have added the correct one and then installed. I mean i have installed also using makepkg to build and install but i don’t have significant knowledge.
The word source just doesn’t mean much to me unless i am given a reference to what it’s referring to.
In the example in the screenshot below, components are downloaded from three defined source (indicated in red). If one was to “add a source into the PKGBUILD” as @mbod noted, they would be adding to or updating these values.
Respectively, the checksums of these components are then verified against the three values specified in sha512sums (indicated in green).
Running updpkgsums downloads the components listed under source, and updates their respective values listed under sha512sums (or other optionally specified checksum types such as md5sums or sha256sums).
This makes sense. I just never seem to need to edit the pkgbuild very often. I have not had many issues with any AUR packages when installing them. Thanks for explaining it a little more.
I believe this is a good opportunity to come back to this “AUR Security discussion” where I made a statement about checking the source an AUR package is using:
The screenshot from @Bink is a good illustration how that can work. The screenshot shows the thunderbird-beta-bin package resp. the corresponding PKGBUILD. A malicious packager could potentially use a modified thunderbird source code which would compromise your emails.
Check the source, Luke. In the PKGBUILD you see that it pulls the source directly from mozilla.org. That is good. And there do not seem to be any other sources which look suspicious. That is a first and very simple security check.