[arch-general] Packages Verified with MD5

Anatol Pomozov anatol.pomozov at gmail.com
Sun Jan 12 16:12:08 EST 2014


I believe the topic stater has concerns about weakness of the MD5 hash
algorithm. He suggests to deprecate md5sums=() and use cryptographic
hash algorithm like SHA256. Personally I avoid MD5 in my packages
because of its bad reputation. But I am not an crypto expert though.

> I have been assuming the former, that when I do pacman -S firefox or pacman -S truecrypt, it runs the PKGBUILD on *my* system. Is that not the case?
No. Both firefox and truecrypt are distributed as binary packages.
PKGBUILD is used by maintainer only at the build time. From other side
AUR packages are always built on your machine.
md5sums=() checks that the *source* files downloaded from internet are
correct. MITM attack is still possible here.

More information about the arch-general mailing list