On Wed, Dec 07, 2016 at 01:58:16AM -0800, Gregory Mullen wrote:
I advocate keeping md5sum as the default because it is broken. If I see someone purely verifying their sources using md5sum in a PKGBUILD (and not pgp signature), I know that they have done nothing to actually verify the source themselves.
I advocate making the default house construction straw... Said the wolf to the three little pigs.
Advocating for MD5 as a "this package is insecure" warning flag makes NO sense at all. Especially when if the package is secure (because the maintainer verified the PGP sig, and then changed to shaXXX) you still no nothing new. But don't say; MD5 is good because I know it's broken, so I know the maintainer didn't do their job?
Either validate the PGP keys, or don't. But don't suggest keeping a broken system because... why again? So you can learn nothing?
I think you misunderstood Allan. What he says is that by default makepkg provides only a protection against broken http links at best. If a maintainer wants security, he must take care of it explicitly. I don't see why this is a bad idea... Cheers, L. -- Leonid Isaev