[arch-general] Packages Verified with MD5
Rashif Ray Rahman
schiv at archlinux.org
Mon Jan 13 04:49:34 EST 2014
On 13 January 2014 00:58, Taylor Hornby <havoc at defuse.ca> wrote:
> If so, this should be fixed as soon as possible. How feasible would it
> be? Could it be as simple as making a script that:
>
> 1. Finds the 'source' and 'md5sums' lines.
> 2. Downloads the packages and checks the md5sums.
> 3. Computes the SHA256sums, and adds them to the file.
>
> If there's anything I can do to help, let me know.
Makepkg supports MD5 and the SHAs. A PKGBUILD can have multiple
checksums, but it depends on the maintainer which of them they'd
prefer to use. You can get them to deprecate the practice of using
MD5-only PKGBUILDs.
You're actually concerned about a part of the packaging process that
requires human discretion. It is up to the packager to verify that the
sources are good. They can proactively search for authentic checksums
and signatures.
--
GPG/PGP ID: C0711BF1
More information about the arch-general
mailing list