[arch-general] Pointless to use non-md5 for makepkg INTEGRITY_CHECK

Aaron Schaefer aaron at elasticdog.com
Mon Jan 12 15:22:22 EST 2009

On Mon, Jan 12, 2009 at 10:44 AM, Aaron Griffin <aaronmgriffin at gmail.com> wrote:
> Currently, however, couldn't you just supply both md5 and sha1
> checksums to cover all bases?

You could put them both in the PKGBUILD in order to be able to upload
it to the AUR, but anyone who downloads it would get verification
errors unless they updated their makepkg.conf to match the
INTEGRITY_CHECK settings that were used when the PKGBUILD was created.
If they did change it, they would have to change it back in order to
prevent errors when compiling anything else.

Once that patch gets pushed to the public, what do people think about
switching over to sha256 as a default instead of md5 due to potential
collision/security issues?

Aaron "ElasticDog" Schaefer

More information about the arch-general mailing list