Generating checksums with "makepkg -g" only determines that the user of a PKGBUILD has the same file as the packager (assuming no collision). This means an upstream source could be maliciously changed and passed on as valid by a PKGBUILD. To avoid this, it is essential that any checksums used in a PKGBUILD are as provided by upstream. Signed-off-by: Allan McRae <allan@archlinux.org> --- doc/PKGBUILD.5.asciidoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/doc/PKGBUILD.5.asciidoc b/doc/PKGBUILD.5.asciidoc index ef53c0ee..abe2ab52 100644 --- a/doc/PKGBUILD.5.asciidoc +++ b/doc/PKGBUILD.5.asciidoc @@ -152,7 +152,9 @@ contain whitespace characters. file integrity during subsequent builds. If 'SKIP' is put in the array in place of a normal hash, the integrity check for that source file will be skipped. To easily generate md5sums, run ``makepkg -g >> PKGBUILD''. - If desired, move the md5sums line to an appropriate location. + If desired, move the md5sums line to an appropriate location. Note that + checksums generated by "makepkg -g" provide little security benefit. All + checksum values should be as provided by the software developer. *sha1sums, sha224sums, sha256sums, sha384sums, sha512sums, b2sums (arrays)*:: Alternative integrity checks that makepkg supports; these all behave -- 2.25.0