I noticed that the TrueCrypt package is downloaded over an insecure FTP connection and then only verified using MD5 hashes. https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=p... There are practical collision attacks against MD5. This means an adversary (e.g. the NSA) can construct two versions of the truecrypt binaries, one malicious and one not, which have the same MD5 hash. They can silently replace the file being downloaded with the malicious version and the change will not be detected. This should be fixed to use SHA256 hashes, like the Firefox package: https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=p... How can I help make it use SHA256 instead of MD5? I'm relatively new to arch, so I'm not familiar with what it takes to change something in the repos. Any advice would be appreciated. Are there other packages still being verified with MD5? Can we fix them too? I'll gladly donate my time if it's not something that can be automated. Thanks, -- Taylor Hornby p.s. This might be better suited to arch-dev-public, but I think users should be informed of the vulnerability, so I decided on arch-general.