[arch-general] Packages Verified with MD5

Rashif Ray Rahman schiv at archlinux.org
Mon Jan 13 04:49:34 EST 2014

On 13 January 2014 00:58, Taylor Hornby <havoc at defuse.ca> wrote:
> If so, this should be fixed as soon as possible. How feasible would it
> be? Could it be as simple as making a script that:
> 1. Finds the 'source' and 'md5sums' lines.
> 2. Downloads the packages and checks the md5sums.
> 3. Computes the SHA256sums, and adds them to the file.
> If there's anything I can do to help, let me know.

Makepkg supports MD5 and the SHAs. A PKGBUILD can have multiple
checksums, but it depends on the maintainer which of them they'd
prefer to use. You can get them to deprecate the practice of using

You're actually concerned about a part of the packaging process that
requires human discretion. It is up to the packager to verify that the
sources are good. They can proactively search for authentic checksums
and signatures.


More information about the arch-general mailing list