On 13 January 2014 00:58, Taylor Hornby <havoc@defuse.ca> wrote:
If so, this should be fixed as soon as possible. How feasible would it be? Could it be as simple as making a script that:
1. Finds the 'source' and 'md5sums' lines. 2. Downloads the packages and checks the md5sums. 3. Computes the SHA256sums, and adds them to the file.
If there's anything I can do to help, let me know.
Makepkg supports MD5 and the SHAs. A PKGBUILD can have multiple checksums, but it depends on the maintainer which of them they'd prefer to use. You can get them to deprecate the practice of using MD5-only PKGBUILDs. You're actually concerned about a part of the packaging process that requires human discretion. It is up to the packager to verify that the sources are good. They can proactively search for authentic checksums and signatures. -- GPG/PGP ID: C0711BF1