* Allan McRae <allan@archlinux.org> [2014-06-06 07:34:51 +1000]:
On 06/06/14 05:39, me@the-compiler.org wrote:
From: Florian Bruhin <git@the-compiler.org>
There were a few bug reports related to this: https://bugs.archlinux.org/task/39210 https://bugs.archlinux.org/task/38543 https://bugs.archlinux.org/task/37215
And all those were rejected...
Note only the first of this reports is actually what this patch changes. The other two propose *disallowing* md5sums entirely, which IMHO is not a good idea. The first one then was closed as a duplicate of one of the others, even though disallowing md5sums and changing the defaults are two completely different things. Looking at the count of bug reports (plus some votes, even on the reports proposing a more radical change), this is at least an issue worth discussing.
The default means that people are using "makepkg -g" to generate them, so is useless.
From the top of my head, I see three possible scenarios where a data corruption can occur: - On the server itself (wrong file but correct checksum hosted, etc.): This is the only case where a checksum generated via makepkg -g wouldn't help, and I'd guess this is the rarest scenario. - During transmission to (or on the machine of) the maintainer. While the mantainer initially won't know something is wrong, the users will and will hopefully complain. - During transmission to (or on the machine of) the user installing the package. I think this is the most common scenario. In this case, it doesn't matter how the checksums were generated by the maintainer. I do agree using upstream checksums is the best option if they are provided, but sadly that's often not the case - but I disagree about checksums being *useless* when they don't come from upstream directly.
People should be using whatever upstream publishes (or better pgp signatures) to verify files.
Please also note there are PKGBUILDs where there's no upstream source with a checksum (e.g. only VCS sources), and then some added files (install/patches/...). I did a quick grep against the aur git repo to find out what the current distribution of checksums is, out of curiosity: 41215 md5sums 5641 sha256sums 3230 sha1sums 2587 sha512sums 71 sha384sums So it seems to me the reality is that makepkg -g is still widely used. [offtopic] I also found some constructs to automatically get a checksum file from upstream via curl/wget - is this an encouraged thing to do? Though this one probably isn't a good idea :D md5sums=(`wget -qO- $source | md5sum | cut -c -32`) [/offtopic] No hurt feelings if this patch won't be accepted, but I think it'd be beneficial to hear other thoughts on this. Florian -- http://www.the-compiler.org | me@the-compiler.org (Mail/XMPP) GPG 0xFD55A072 | http://the-compiler.org/pubkey.asc I love long mails! | http://email.is-not-s.ms/