[arch-general] Stronger Hashes for PKGBUILDs
sivmu
sivmu at web.de
Sat Dec 3 18:21:46 UTC 2016
Am 03.12.2016 um 06:27 schrieb fnodeuser:
>
> if an upstream does not sign the files, does not have https enabled, and/or refuses to take security and privacy seriously, sha512 must be used in the PKGBUILD files.
But using and hash value without the possibility to verify the hashed
files, adds no security. It provides a false sense of security instead.
I agree that we should use a strong hash by default where it makes
sense. But in the absense ob effective validation of upstream packages,
this is meaningless.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161203/ddcacecd/attachment.asc>
More information about the arch-general
mailing list