> > I agree that we should use a strong hash by default where it makes > sense. But in the absense ob effective validation of upstream packages, > this is meaningless. > It would at least indicate that the source file has been tampered with in some way. Even though there would be no way to know the "correct" checksum.