Package Details: zfs-utils 0.7.9-1

Git Clone URL: (read-only)
Package Base: zfs-dkms
Description: Kernel module support files for the Zettabyte File System.
Upstream URL:
Licenses: CDDL
Conflicts: zfs-utils-git, zfs-utils-lts
Submitter: isiachi
Maintainer: isiachi
Last Packager: isiachi
Votes: 59
Popularity: 2.339098
First Submitted: 2015-08-31 12:01
Last Updated: 2018-05-15 10:58

Latest Comments

1 2 3 4 5 6 ... Next › Last »

sylveon commented on 2018-08-06 03:40


The tarball update was done silently, so it could have taken a while of users thinking the source is compromised in some way for the package maintainer to notice and update.

sudoBash418 commented on 2018-08-04 06:25

@sylveon Wouldn't a tarball update like that justify a pkgrel bump and updated checksums?

sylveon commented on 2018-06-10 16:39

The zfs maintainers once had to update the tarballs on an existing release, so using the signature is a better idea than using a checksum.

Achelous commented on 2018-06-09 17:04

I agree with @RubenKelevra that checksums should be used.

@Eschwartz: security wasn't mentioned in his comment, but if he had mentioned it, he would have been right to.

A checksum would ensure that the source hasn't changed since the package maintainer downloaded it. This:

(1) Protects users against targeted MitM attacks (e.g. an oppressive government pretending to be GitHub), and

(2) Protects against an attacker taking over the zfsonlinux GitHub account, and pointing the existing tag at some malicious code (as long as the breach happens after the AUR maintainer downloads the source).

That sounds like a security improvement to me!

As @RubenKelevra notes, there's also a PGP signed .asc file available, and there's no good reason why this shouldn't be used.

As for the pointless whatabout-ism, yes there may be other (higher-profile) packages which make the same mistake, but that's no reason not to fix it here. It shouldn't be necessary to comment on every single one to be allowed the privilege of commenting here.

Eschwartz commented on 2018-05-06 17:02

Checksums don't add security, that's why they're the "integrity check", not the "security check". Do you know how many [core] packages don't have PGP signatures available at all? Those are used on far more devices.

Granted, using PGP when available is always nice. But I don't see you screeching at the non-dkms package maintainer to fix his packages...

Edit: to clarify, I even like strong integrity checks myself, because they're definitely better than nothing and it can only help. But you're going about this totally the wrong way and you should also consider the old saying about people who live in glass houses.

RubenKelevra commented on 2018-05-05 13:41

Please add some kind of checksum checking to this package. Currently, the source integrity fully relies on a valid https certificate and the server behind it returning the right data. This doesn't sound right for a kernel module used in thousands of devices.

You can switch to a download link of the release, instead of a git clone (which also reduces the download time and the server load) like this:

Then you can just add a checksum for this archive.

Since they also provide a .asc file, it should be loaded and used to verify the sources too.

bus commented on 2018-04-22 17:31

Doesn't seem to make sense to hold these packages hostage if you do not have the time to increment a few digits in response to a major data-corrupting regression within 2 weeks. You're just letting people down with consistently late updates.

zlima12 commented on 2018-04-12 04:39

I would highly recommend using the archzfs repository with pacman instead of this package as it is updated much faster.

breul99 commented on 2018-04-11 18:31

Please bump to 0.7.8 as there was a major regression in 0.7.7

leothrix commented on 2018-03-24 03:37

Could the aarch64 architecture be added to the PKGBUILD? The ZFS on Linux projects states that the arch is supported ( and I've been using a modified PKGBUILD compiled on aarch64 successfully for some time as well.