Package Details: rar 7.01-1

Git Clone URL: https://aur.archlinux.org/rar.git (read-only, click to copy)
Package Base: rar
Description: A command-line port of the rar compression utility.
Upstream URL: https://www.rarlab.com
Keywords: compress decompress rar unrar
Licenses: custom
Conflicts: rar-beta, unrar
Provides: unrar
Submitter: None
Maintainer: Musikolo
Last Packager: Musikolo
Votes: 740
Popularity: 2.27
First Submitted: 2008-10-15 21:38 (UTC)
Last Updated: 2024-05-16 01:19 (UTC)

Required by (101)

Sources (3)

Latest Comments

« First ‹ Previous 1 2 3 4 5 6 7 8 9 10 .. 12 Next › Last »

eang commented on 2017-05-29 16:16 (UTC)

@WorMzy > What makes you so sure that the maintainer won't simply run updpkgsums and resubmit the package? I can download the tarball and manually check its checksum with the one claimed in the PKGBUILD. > How will you know if they do this or liase with upstream We can't know for sure. But this doesn't mean we should ignore the checksum verification altogether. > How do you know if /any/ package maintainer verifies the source checksums with upstream? Some do. Again, just because some maintainers don't care doesn't mean we should expose ourselves by ignoring the checksum verification.

veganvelociraptr commented on 2017-05-26 08:50 (UTC)

The md5sum for rar.1 (whatever that is?) has also changed: 4cffd2771bb4a51e4a68500d799550d8

bric3 commented on 2017-05-24 12:15 (UTC)

For future readers, I edited the PKGBUILD file when asked The MD5 checksums of source files (respectively http://www.rarlab.com/rar/rarlinux-5.4.0.tar.gz and http://www.rarlab.com/rar/rarlinux-x64-5.4.0.tar.gz) md5sums_i686=('efa2a5a29f57f34999a9bae355510618') md5sums_x86_64=('d02b8742478d5e6428c12ee14b2a678d') And as rarlab removed rar_static, I commented this line : # install -Dm755 rar_static "${pkgdir}/usr/bin/rar_static"

<deleted-account> commented on 2017-05-14 03:07 (UTC)

I agree that the maintainer need update the pkg, but now that is dynamicaly linked the maintainer probably now need to listed all the deps that rar link.

Musikolo commented on 2017-05-13 16:12 (UTC)

@All, I got a reply from one of the developers of Rarlab about the checksum change. This is a short snippet of his reply: "We received a complain from Debian maintainers that statically linked rar violates LGPL: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860952;msg=5 and updated: - http://rarlab.com/rar/rarlinux-5.4.0.tar.gz - http://rarlab.com/rar/rarlinux-x64-5.4.0.tar.gz to remove rar_static from the package. These files on rarlab.com are valid and our server is not compromised." @FadeMind, since everything seems to be alright, would you mind updating the package accordingly? Thank you!

Musikolo commented on 2017-05-13 03:33 (UTC)

I just sent an email to the Rarlab development team - http://www.rarlab.com/feedback.htm I hope to get a reply shortly that helps close this discussion. Regards.

WorMzy commented on 2017-05-12 17:16 (UTC)

Interesting theory. What makes you so sure that the maintainer won't simply run updpkgsums and resubmit the package? How will you know if they do this or liase with upstream? How do you know if /any/ package maintainer verifies the source checksums with upstream?

eang commented on 2017-05-12 17:05 (UTC)

This package should be considered unsafe until his maintainer doesn't update the checksum in the PKGBUILD (after checking that the tarball is ok). If you manually change the checksum in your local PKGBUILD you are just exposing yourself to a potential attack.

Musikolo commented on 2017-05-09 00:20 (UTC)

@spirtbrat/Pietro_Pizzi thanks for your replies. Everyone is right! My concern comes from the fact that the checksum shouldn't change once the maintainer updates the PKGBUILD for any given version. Any change without further notice is a reason to suspect the file is no longer secure, and/or the server where the file is stored could have been potentially compromised. If anyone was able to build version 5.4.0 64-bit with the checksum available in the PKGBUILD (f7181c0aed3b7be402b95185bd61e646), then Houston, we have a situation! The file could have been compromised in the server. It's also possible the RarLab team has legitimately modified the file, but IMO that's very unlikely. However, if nobody was able to build it and everyone was ever getting the same issue, then the maintainer might have forgotten or used the wrong checksum. New checksum is d02b8742478d5e6428c12ee14b2a678d. So, just to clarify, has anyone being able to build the package with the old checksum (f7181c0aed3b7be402b95185bd61e646)? Thank you!

vasily commented on 2017-05-06 21:57 (UTC)

Jesus Christ, people are touchy. I must've been too harsh in my comment The upstream rar package is different than the one the PKGBUILD was made for, without changing neither the minor or the major version number. This shouldn't be surprising. rar is not open source and they can do whatever they like. Either the PKGBUILD maintainer should actualize the checksum, or the user should ignore the check (--skipchecksums). Besides, there's no 'rar_static' in the current download from rarlab, so probably the maintainer should intervene. Anyways - use anything else for compression (zstandard) or unrar for decompression and you'll avoid most of the drama.