On 05/10/2018 05:46 AM, Leonid Isaev via arch-general wrote:
In this regard, I don't understand why we need checksums at all? If upstream: (1) signes source with GPG, it will take care of both integrity and authenticity, so no need for hashes; (2) doesn't provide signatures, rely on gzip/bzip2/xz CRC. It is not cryptographically secure, but we don't need that anyway. Hence, we can substantially simplify makepkg code...
makepkg --skippgpcheck without checksum integrity this would potentially result in corrupted, malformed downloads that aren't caught. Also a check which tells you the file has a bad signature *because the download is malformed* is sort of a weird user experience, and it might not be obvious you should try redownloading. -- Eli Schwartz Bug Wrangler and Trusted User