[arch-dev-public] makepkg.conf settings - Was:[signoff] pacman 3.3.0

Pierre Schmitz pierre at archlinux.de
Mon Aug 3 05:25:24 EDT 2009

Am Montag 03 August 2009 11:06:37 schrieb Roman Kyrylych:
> >> 2) Arch integrity check policy.  This is the default checksum produced
> >> with "makepkg -g".  Stick with md5sum or go to sha256?  I don't care but
> >> md5sum has collisions so maybe sha256 is the way to go.
> >
> > Afaik md5sum is good enough for download verification. But I don't really
> > care as long as we could use both.
> I think md5sum collisions are more security-related stuff,
> and for security we need signed packages anyway.
> When speaking about checking package integrity
> - md5sum does its jub fine.
> So I see no benefit in moving to sha256.

That's what I meant. Its very unlikely that you download a broken package due 
to networking problems which has the same md5sum and is also a valid tar.gz.


Pierre Schmitz, http://users.archlinux.de/~pierre

More information about the arch-dev-public mailing list