Package Details: zfs-dkms 2.2.6-1

Git Clone URL: https://aur.archlinux.org/zfs-dkms.git (read-only, click to copy)
Package Base: zfs-dkms
Description: Kernel modules for the Zettabyte File System.
Upstream URL: https://zfsonlinux.org/
Licenses: CDDL
Provides: SPL-MODULE, zfs, ZFS-MODULE
Submitter: isiachi
Maintainer: kstolp
Last Packager: kstolp
Votes: 178
Popularity: 5.47
First Submitted: 2015-08-31 12:01 (UTC)
Last Updated: 2024-09-05 04:42 (UTC)

Pinned Comments

kstolp commented on 2023-09-29 00:34 (UTC)

When requesting changes, please include detailed reasoning for the change.

kstolp commented on 2023-01-07 09:31 (UTC)

If you receive this error when trying to build, it is because you have not imported the GPG keys used for verification.

==> ERROR: One or more PGP signatures could not be verified!

You have two options:

1) Import the two keys into your keyring. ArchWiki article. You can find the key IDs in the PKGBUILD file, in the validpgpkeys array. (recommended)

2) Alternatively, you can skip this verification by passing the --skippgpcheck argument to makepkg when building. (not recommended)

Latest Comments

« First ‹ Previous 1 .. 46 47 48 49 50 51 52 53 54 55 56 .. 63 Next › Last »

Achelous commented on 2018-06-09 17:04 (UTC)

I agree with @RubenKelevra that checksums should be used.

@Eschwartz: security wasn't mentioned in his comment, but if he had mentioned it, he would have been right to.

A checksum would ensure that the source hasn't changed since the package maintainer downloaded it. This:

(1) Protects users against targeted MitM attacks (e.g. an oppressive government pretending to be GitHub), and

(2) Protects against an attacker taking over the zfsonlinux GitHub account, and pointing the existing tag at some malicious code (as long as the breach happens after the AUR maintainer downloads the source).

That sounds like a security improvement to me!

As @RubenKelevra notes, there's also a PGP signed .asc file available, and there's no good reason why this shouldn't be used.

As for the pointless whatabout-ism, yes there may be other (higher-profile) packages which make the same mistake, but that's no reason not to fix it here. It shouldn't be necessary to comment on every single one to be allowed the privilege of commenting here.

eschwartz commented on 2018-05-06 17:02 (UTC) (edited on 2018-05-06 21:29 (UTC) by eschwartz)

Checksums don't add security, that's why they're the "integrity check", not the "security check". Do you know how many [core] packages don't have PGP signatures available at all? Those are used on far more devices.

Granted, using PGP when available is always nice. But I don't see you screeching at the non-dkms package maintainer to fix his packages...

Edit: to clarify, I even like strong integrity checks myself, because they're definitely better than nothing and it can only help. But you're going about this totally the wrong way and you should also consider the old saying about people who live in glass houses.

eschwartz commented on 2018-05-06 17:02 (UTC) (edited on 2018-05-06 21:29 (UTC) by eschwartz)

Checksums don't add security, that's why they're the "integrity check", not the "security check". Do you know how many [core] packages don't have PGP signatures available at all? Those are used on far more devices.

Granted, using PGP when available is always nice. But I don't see you screeching at the non-dkms package maintainer to fix his packages...

Edit: to clarify, I even like strong integrity checks myself, because they're definitely better than nothing and it can only help. But you're going about this totally the wrong way and you should also consider the old saying about people who live in glass houses.

RubenKelevra commented on 2018-05-05 13:41 (UTC)

Please add some kind of checksum checking to this package. Currently, the source integrity fully relies on a valid https certificate and the server behind it returning the right data. This doesn't sound right for a kernel module used in thousands of devices.

You can switch to a download link of the release, instead of a git clone (which also reduces the download time and the server load) like this:

https://github.com/zfsonlinux/zfs/releases/download/zfs-0.7.8/zfs-0.7.8.tar.gz

Then you can just add a checksum for this archive.

Since they also provide a .asc file, it should be loaded and used to verify the sources too.

RubenKelevra commented on 2018-05-05 13:38 (UTC)

Please add some kind of checksum checking to this package. Currently, the source integrity fully relies on a valid https certificate and the server behind it returning the right data. This doesn't sound right for a kernel module used in thousands of devices.

You can switch to a download link of the release, instead of a git clone (which also reduces the download time and the server load) like this:

https://github.com/zfsonlinux/spl/archive/spl-0.7.8.tar.gz

Then you can just add a checksum for this archive.

bus commented on 2018-04-22 17:31 (UTC)

Doesn't seem to make sense to hold these packages hostage if you do not have the time to increment a few digits in response to a major data-corrupting regression within 2 weeks. You're just letting people down with consistently late updates.

zlima12 commented on 2018-04-12 04:39 (UTC)

I would highly recommend using the archzfs repository with pacman instead of this package as it is updated much faster.

breul99 commented on 2018-04-11 18:31 (UTC)

Please bump to 0.7.8 as there was a major regression in 0.7.7 https://github.com/zfsonlinux/zfs/releases/tag/zfs-0.7.8

leothrix commented on 2018-03-24 03:38 (UTC)

Could the aarch64 architecture be added to the PKGBUILD? The ZFS on Linux projects states that the arch is supported (https://github.com/zfsonlinux/zfs/wiki/FAQ) and I've been using a modified PKGBUILD compiled on aarch64 successfully for some time as well.

« First ‹ Previous 1 .. 46 47 48 49 50 51 52 53 54 55 56 .. 63 Next › Last »