Package Details: rar 5.4.0-1

Git Clone URL: https://aur.archlinux.org/rar.git (read-only)
Package Base: rar
Description: A command-line port of the rar compression utility
Upstream URL: http://www.rarlab.com
Keywords: rar unrar
Licenses: custom
Conflicts: rar-beta
Submitter: None
Maintainer: taylorchu (FadeMind)
Last Packager: FadeMind
Votes: 680
Popularity: 3.014435
First Submitted: 2008-10-15 21:38
Last Updated: 2017-01-18 19:57

Latest Comments

bric3 commented on 2017-05-24 12:15

For future readers, I edited the PKGBUILD file when asked

The MD5 checksums of source files (respectively http://www.rarlab.com/rar/rarlinux-5.4.0.tar.gz and http://www.rarlab.com/rar/rarlinux-x64-5.4.0.tar.gz)
md5sums_i686=('efa2a5a29f57f34999a9bae355510618')
md5sums_x86_64=('d02b8742478d5e6428c12ee14b2a678d')

And as rarlab removed rar_static, I commented this line :

# install -Dm755 rar_static "${pkgdir}/usr/bin/rar_static"

Jristz commented on 2017-05-14 03:07

I agree that the maintainer need update the pkg, but now that is dynamicaly linked the maintainer probably now need to listed all the deps that rar link.

Musikolo commented on 2017-05-13 16:12

@All,

I got a reply from one of the developers of Rarlab about the checksum change. This is a short snippet of his reply:

"We received a complain from Debian maintainers that statically linked rar violates LGPL:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860952;msg=5

and updated:
- http://rarlab.com/rar/rarlinux-5.4.0.tar.gz
- http://rarlab.com/rar/rarlinux-x64-5.4.0.tar.gz

to remove rar_static from the package. These files on rarlab.com are valid and our server is not compromised."

@FadeMind, since everything seems to be alright, would you mind updating the package accordingly?

Thank you!

Musikolo commented on 2017-05-13 03:33

I just sent an email to the Rarlab development team - http://www.rarlab.com/feedback.htm

I hope to get a reply shortly that helps close this discussion.

Regards.

WorMzy commented on 2017-05-12 17:16

Interesting theory. What makes you so sure that the maintainer won't simply run updpkgsums and resubmit the package? How will you know if they do this or liase with upstream? How do you know if /any/ package maintainer verifies the source checksums with upstream?

eang commented on 2017-05-12 17:05

This package should be considered unsafe until his maintainer doesn't update the checksum in the PKGBUILD (after checking that the tarball is ok). If you manually change the checksum in your local PKGBUILD you are just exposing yourself to a potential attack.

Musikolo commented on 2017-05-09 00:20

@spirtbrat/Pietro_Pizzi thanks for your replies. Everyone is right!

My concern comes from the fact that the checksum shouldn't change once the maintainer updates the PKGBUILD for any given version. Any change without further notice is a reason to suspect the file is no longer secure, and/or the server where the file is stored could have been potentially compromised.

If anyone was able to build version 5.4.0 64-bit with the checksum available in the PKGBUILD (f7181c0aed3b7be402b95185bd61e646), then Houston, we have a situation! The file could have been compromised in the server. It's also possible the RarLab team has legitimately modified the file, but IMO that's very unlikely.

However, if nobody was able to build it and everyone was ever getting the same issue, then the maintainer might have forgotten or used the wrong checksum. New checksum is d02b8742478d5e6428c12ee14b2a678d.

So, just to clarify, has anyone being able to build the package with the old checksum (f7181c0aed3b7be402b95185bd61e646)?

Thank you!

spirtbrat commented on 2017-05-06 21:57

Jesus Christ, people are touchy. I must've been too harsh in my comment
The upstream rar package is different than the one the PKGBUILD was made for, without changing neither the minor or the major version number. This shouldn't be surprising. rar is not open source and they can do whatever they like.
Either the PKGBUILD maintainer should actualize the checksum, or the user should ignore the check (--skipchecksums).
Besides, there's no 'rar_static' in the current download from rarlab, so probably the maintainer should intervene.
Anyways - use anything else for compression (zstandard) or unrar for decompression and you'll avoid most of the drama.

Pietro_Pizzi commented on 2017-05-06 21:25

@spirtbrat:
I tried to be nice and helpful (not just now, ever!). I studied computer science but I although learned a lot through forums, blogs a.s.o, so I want to give something back. Not everyone who installs arch is a Linux nerd and know what I tried to explain. I'm although no arch guru but I think my explanation is good enough to understand. So why are you so a jerk? Particularly in this case where you obviously can't read and write and don't have anything helpful to say!

1. He tried to install the x64 version and therefore my md5sum is correct!
2. If you and every other uses the efa... md5 for the NOT x64 version then the md5 in the pkgbuild is incorrect for this one although. See the md5s from the pkgbuild:
md5sums_i686=('cd1fede60f8dde36f62283f371e7cc6b')
md5sums_x86_64=('f7181c0aed3b7be402b95185bd61e646')
3. I don't give him the advice to replace the checksum with arbitrary numbers. I do the total opposite. I showed him a way to get the number by him self. And in addition for lazy dudes I give the CORRECT # too. Anyone, besides you, can check that I posted no "bullshit" by copy&paste of the commands I explained.
4. And BTW, "nobody should not..." means "everybody should..." and I think you don't mean that!?
5. But OK, sorry that I don't hold a lesson that you don't should trust strangers on the Internet or trolls like you. I don't think this direction when I'm posting because I'm a good guy and don't post "bullshit", at least I try. I know, nobody can know this, but therefore i have given the instructions.

@all:
So enough from this. For all other serious guys, if you have trouble to update to 5.4, i have managed it:
1. If you have something that depends on unrar (sabnzbd in my case), install unrar like @FadeMind says. In this process you have to remove rar. If you don't do it that way rar can't get installed because it removes unrar and that would break the dependency for your other app.
2. (Re)install rar and edit the pkgbuild:
A. Change the md5sum for your version, like I explained before.
B. I'm not sure for this but it works for me: Remove the line that would install rar_static. The install process can't find the file and i checked both tar.gz and it really isn't there. If anybody knows it better please enlighten us, or at least me ;).
3. Save the pkgbuild, finish the install and now it should work.

Hope this helps again!

spirtbrat commented on 2017-05-06 20:07

@Pietro_Pizzi this is a complete bullshit.
the md5sum I and everyone else are currently getting is:
efa2a5a29f57f34999a9bae355510618 for rarlinux-5.4.0.tar.gz
Apparently the rar guys have changed the package. Supprise!

Contrary to your advice, nobody should not just replace the checksum with arbitrary one from the internet. It makes all the chain-of-trust thing mute.
You can always ignore it and install anything that's on the interwebs now. But you should warn people not to complain if it's not what they have expected.

All comments