14 May
2018
14 May
'18
12:11 a.m.
On Sun, May 13, 2018 at 08:19:19PM +0200, Neven Sajko via arch-general wrote:
On 13 May 2018 at 20:11, Neven Sajko <nsajko@gmail.com> wrote:
I do agree that using md5 is absurd, ...
To clarify, md5 *is* unsecure and is even slower or not significantly faster than hashes from the Keccak and BLAKE2 families; using signatures would be a plus but signatures are not an argument for md5.
It is trivial to enable blake2 support in makepkg using b2sum(1) from the coreutils package. Currently, I only saw gentoo using it but I didn't do proper research on this... Yes, md5 is almost as good these days as crc32... It is ok if the sources are gpg-signed, but not on its own. Cheers, -- Leonid Isaev