[arch-general] Pointless to use non-md5 for makepkg INTEGRITY_CHECK

Aaron Griffin aaronmgriffin at gmail.com
Mon Jan 12 17:29:53 EST 2009


On Mon, Jan 12, 2009 at 4:20 PM, Aaron Schaefer <aaron at elasticdog.com> wrote:
> Is it that you don't see package verification as a possible security
> issue? Then why do we use hashes at all? Why not record the size of
> the file in bytes and put that in the PKGBUILD instead to check for
> incomplete downloads?

Have you never had a corrupted download? "Alright, 356K... wait, not a
tar file? what the hell?"

checksums have been used to "check" transmission of data for ages.
Hell, your router even does some form of checksumming on packets it
sends and receives.


More information about the arch-general mailing list