16 Dec
2016
16 Dec
'16
4:46 p.m.
On Sat, Dec 3, 2016 at 3:27 AM, fnodeuser <subscription@binkmail.com> wrote:
https://lists.archlinux.org/pipermail/arch-dev-public/2016-November/028492.h...
i have a few things to add to this.
the message digests at the download page for the .iso file, must change to sha256 and sha512 ones, or to a sha512 one.
if an upstream does not sign the files, does not have https enabled, and/or refuses to take security and privacy seriously, sha512 must be used in the PKGBUILD files.
in the cases of upstreams that use md5 and/or sha1 message digests, those will be added in a second ALGOsums= line under the sha512sums= line. if they use md5 and sha1, then sha1sums must be used for the second ALGOsums= line.
Once again I must say thanks, fnodeuser.