Package Details: firefox-nightly 50.0a1.20160611-2

Git Clone URL: https://aur.archlinux.org/firefox-nightly.git (read-only)
Package Base: firefox-nightly
Description: Standalone web browser from mozilla.org, nightly build
Upstream URL: http://www.mozilla.org/projects/firefox
Keywords: firefox web_browser
Licenses: GPL, MPL, LGPL
Submitter: None
Maintainer: xenom
Last Packager: xenom
Votes: 444
Popularity: 4.895771
First Submitted: 2008-09-10 14:23
Last Updated: 2016-06-11 12:42

Latest Comments

michabuntu commented on 2016-06-09 16:51

yeah, that worked
thanks

blitz commented on 2016-06-07 15:29

Upstream URL: http://www.mozilla.org/projects/firefox
404 Page not found
Whoops!
Did you make a left at that last URL instead of a right?

di72nn commented on 2016-06-07 14:29

@michabuntu

> Found firefox-49.0a1.en-US.linux-x86_64.tar.bz2
> Found firefox-49.0a1.en-US.linux-x86_64.txt
> Found firefox-49.0a1.en-US.linux-x86_64.checksums
> Found firefox-49.0a1.en-US.linux-x86_64.checksums.asc

and

> 49.0a1.20160501-1

suggest that you have outdated sources (probably dated as `20160501` -_- ).

Try:
rm firefox-49.0a1.en-US.linux-* && makepkg

michabuntu commented on 2016-06-07 13:34

==> Making package: firefox-nightly 49.0a1.20160604-2 (Tue Jun 7 15:33:21 CEST 2016)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Found firefox-nightly.desktop
-> Found firefox-nightly-safe.desktop
-> Found vendor.js
-> Found firefox-49.0a1.en-US.linux-x86_64.tar.bz2
-> Found firefox-49.0a1.en-US.linux-x86_64.txt
-> Found firefox-49.0a1.en-US.linux-x86_64.checksums
-> Found firefox-49.0a1.en-US.linux-x86_64.checksums.asc
==> Validating source files with sha512sums...
firefox-nightly.desktop ... Passed
firefox-nightly-safe.desktop ... Passed
vendor.js ... Passed
firefox-49.0a1.en-US.linux-x86_64.tar.bz2 ... Skipped
firefox-49.0a1.en-US.linux-x86_64.txt ... Skipped
firefox-49.0a1.en-US.linux-x86_64.checksums ... Skipped
firefox-49.0a1.en-US.linux-x86_64.checksums.asc ... Skipped
==> Verifying source file signatures with gpg...
firefox-49.0a1.en-US.linux-x86_64.checksums ... Passed
==> Extracting sources...
-> Extracting firefox-49.0a1.en-US.linux-x86_64.tar.bz2 with bsdtar
==> Starting prepare()...
==> Verifying checksums...
firefox-49.0a1.en-US.linux-x86_64.tar.bz2: FAILED
firefox-49.0a1.en-US.linux-x86_64.txt: FAILED
sha512sum: WARNING: 2 computed checksums did NOT match
==> ERROR: A failure occurred in prepare().
Aborting...
The build failed.

So, the first check from makepkg is okay and the new extra build in one, now fails? And it is not upgrading but downgrading from 49.0a1.20160502-1 to 49.0a1.20160501-1

di72nn commented on 2016-06-05 03:53

@parkerlreed,
https://gpg.mozilla.org/pks/lookup?op=get&search=0x61B7B526D98F0353
https://pgp.mit.edu/pks/lookup?op=get&search=0x61B7B526D98F0353
https://ftp.mozilla.org/pub/firefox/releases/45.1.1esr/KEY
and a blog post: http://hearsum.ca/blog/mozilla-software-release-gpg-key-transition.html

1C69C4E55E9905DB is a subkey, you don't need to import it explicitly.

I also included a comment in the proposed PKGBUILD:
gpg --keyserver pgp.mit.edu --recv-keys 14F26682D0916CDD81E37B6D61B7B526D98F0353
but you should verify it yourself.

parkerlreed commented on 2016-06-04 22:23

If we do want to use gpg verification, what keyserver is it on?

==> Validating source files with sha512sums...
firefox-nightly.desktop ... Passed
firefox-nightly-safe.desktop ... Passed
vendor.js ... Passed
firefox-49.0a1.en-US.linux-x86_64.tar.bz2 ... Skipped
firefox-49.0a1.en-US.linux-x86_64.txt ... Skipped
firefox-49.0a1.en-US.linux-x86_64.checksums ... Skipped
firefox-49.0a1.en-US.linux-x86_64.checksums.asc ... Skipped
==> Verifying source file signatures with gpg...
firefox-49.0a1.en-US.linux-x86_64.checksums ... FAILED (unknown public key 1C69C4E55E9905DB)
==> ERROR: One or more PGP signatures could not be verified!

xenom commented on 2016-05-29 08:59

Thanks for the suggestions. I will look at it in details soon.

di72nn commented on 2016-05-26 20:51

Hello xenom. I propose some changes: https://gist.github.com/di72nn/40b64a133679bf424444a00fe14d8301
* Use GPG-verificataion by default (currently: if we download checksums from the same source as binaries, we can't guarantee any security).
* Get build date from "${_file}-${CARCH}.txt" (the date format does not change).
* Make use of $CARCH variable to get rid of duplicated code.

Getting GPG and checksums verification is a bit tricky: in this case the checksums file contains a bunch of different checksums so we probably can't tell makepkg to use it. Hence, I use makepkg to verify GPG signature, then manually verify files by that GPG-verified checksums file (er, by "manually" I mean: with PKGBUILD code, not with makepkg functionality).
(I'm aware that PKGBUILD already contains commented out part that allows to verify checksums file, but that checksums file is not really used to check anything since sha512sums array is populated with another curl request).

Oh, and if somebody for some weird reason does not want to use GPG-verification, it can be easily skipped with --skippgpcheck.

klausenbusk commented on 2016-05-14 14:44

Hello xenom

I think you should change pkgver to use the BuildID available in application.ini, it more correct I think :)

- Kristian

xenom commented on 2016-05-11 18:59

The pkgver are the same in the files. But the pkgver is automatically updated with the date of the day to keep trace of the date of the nightly build used.

All comments