On 1/22/20 9:18 PM, Allan McRae wrote:
Checksums arrays should be filled with values provided by upstream. We currently have md5 set as an unsecure default, and are constantly asked to change it to sha2. However, just changing the default to a stronger checksum gives the user the impression that "makepkg -g" checksums are perfect.
Instead, change the default checksum to a CRC, to make it clear that any checksum generated purely by "makepkg -g" is not ideal.
One reason it is not ideal is due to the fact that in my testing, "time cksum some-large-file" compared to "time md5sum some-large-file" took nearly twice as long. In fact, md5sum, sha1sum and b2sum all took roughly the same time to hash /var/cache/makepkg/srcdest/firefox-72.0.2.source.tar.xz (302MB). I mean, granted we're talking a wall clock time of: 0:00.49 for sha1 0:00.54 for md5 0:00.56 for b2 0:00.92 for ck So these differences don't significantly impact the time spent (regardless of which algorithm you use). On the other hand, it feels silly to move to a slower algorithm. (I would also like to point out for the record I am part of the group of people who would prefer Trust On First Use, but I understand this is not going to be discussed here anymore.) -- Eli Schwartz Bug Wrangler and Trusted User