On Thu, 19 Feb 2015 15:15:42 -0500 Mark Lee <mark@markelee.com> wrote:
Salutations,
After trying to build the mpv-0.8.0-1 and finding that the PKGBUILD's checksum was incorrect, I filed a bug report. See <https://bugs.archlinux.org/task/43882?project=5&cat%5B0%5D=33&string=mpv>.
I filed it under "critical" since an incorrect checksum means that the package was built from source that doesn't match upstream's source. I was told it's not a critical issue and it was downgraded to medium. I'm wondering why incorrect checksums aren't considered "critical".
Regards, Mark
The checksum matched when the package was built or it wouldn't have built for the maintainer, either. This means it's not a security issue, the only way it could be considered critical. All it means is that upstream changed something, only really affecting people trying to build from the PKGBUILDs. Normally, I would make this low severity, as it really doesn't matter that much. Doug