[arch-general] Stronger Hashes for PKGBUILDs
Allan McRae
allan at archlinux.org
Wed Dec 7 10:09:30 UTC 2016
On 07/12/16 19:58, Gregory Mullen wrote:
>> But we don't care about that... we just want to feel warm and fuzzy with
> a false sense of security.
>
> No one is suggesting sha*sum replace, and actual security/authentication
> check. Only that maybe it's not a good idea to use a system we all know is
> broken.
>
If everyone knows it is broken, upstream will not be providing md5sums
to compare against and then and PKGBUILD maintainer that has verified
the source files using upstream provided hashes will not use md5sum.
All we do by changing away from md5sum as the default is hiding the
large number of packages that do nothing to verify upstream source
integrity.
In fact, I am making CRC the default.
A
More information about the arch-general
mailing list