8 Dec
2016
8 Dec
'16
1:34 a.m.
On 08/12/16 08:51, sivmu wrote:
... I advocate keeping md5sum as the default because it is broken. If I see someone purely verifying their sources using md5sum in a PKGBUILD (and not pgp signature), I know that they have done nothing to actually verify the source themselves. ... That is a very dangerous assumtion. I know for a fact that many
Am 07.12.2016 um 10:49 schrieb Allan McRae: maintainers used md5 for verification because it is the default. There are/were maintainers that downloaded the source, verified the pgp signature and generated the md5 checksum to include it in the PKGBUILD (without the pgp signature)
Idiots... so again using md5sums as the default saves me from people who don't know how to package. A