On 01/13/2014 02:49 AM, Rashif Ray Rahman wrote:
If so, this should be fixed as soon as possible. How feasible would it be? Could it be as simple as making a script that:
1. Finds the 'source' and 'md5sums' lines. 2. Downloads the packages and checks the md5sums. 3. Computes the SHA256sums, and adds them to the file.
If there's anything I can do to help, let me know. Makepkg supports MD5 and the SHAs. A PKGBUILD can have multiple checksums, but it depends on the maintainer which of them they'd
On 13 January 2014 00:58, Taylor Hornby <havoc@defuse.ca> wrote: prefer to use. You can get them to deprecate the practice of using MD5-only PKGBUILDs.
You're actually concerned about a part of the packaging process that requires human discretion. It is up to the packager to verify that the sources are good. They can proactively search for authentic checksums and signatures.
Yep, I misunderstood how it works. I thought the PKGBUILD was used on users' systems when they run "pacman -S truecrypt", when in fact the PKGBUILD is only used by the package maintainer to generate the binary packages, which they then sign. So it's not as bad as I thought, and moving to SHA256 doesn't fix the problem. The only solution is to convince the software sources (Mozilla, etc.) to sign the files they release. -- Taylor Hornby