It has been discussed and suggested from a lot of different people[1] that we should use stronger hashes inside our PKGBUILDs. Since we now must check for and use https and GPG when that is possible[2], we should also consider making the switch to stronger hashes. Server cracks and MitM attacks could lead to the fetching of tampered source files that are used for package building. This can be dangerous when older packages must be rebuilt automatically or are modified. Using a weak hash function's message digests for verification could lead to the use of tampered source files without us noticing that. Especially when https and GPG cannot be used, it is a must to use strong hashes for verifying the integrity of the sources. **The usage of weak hash function algorithms (md5 and sha1) must be avoided.** sha512 must become the default. If upstream uses message digests of weak hash function algorithms, the message digests of those can also be included in the PKGBUILD files, and those message digests should be seen as an additional check. Stronger hashes have **no disadvantages, they can only improve security**. We should also change the default value of INTEGRITY_CHECK in /etc/makepkg.conf to use sha512 by default, as suggested multiple times on the bugtracker[1]. The wiki[3] needs to be changed accordingly to our new GPG, https and hash guidelines. We as ArchLinux Distribution should try to provide our Users the best security of our packages as well as the PKGBUILDs. Thanks for all your support! [1] Depreciate md5 and sha1 https://lists.archlinux.org/pipermail/arch-general/2009-January/003215.html https://bugs.archlinux.org/task/51236 https://bugs.archlinux.org/task/39210 https://bugs.archlinux.org/task/38543 https://bugs.archlinux.org/task/12772 [2] https and GPG https://lists.archlinux.org/pipermail/arch-dev-public/2016-October/028416.ht... https://www.archlinux.org/todo/use-gpg-signatures-and-https-sources/ [3] https://wiki.archlinux.org/index.php/PKGBUILD#Integrity