[arch-general] Stronger Hashes for PKGBUILDs

LoneVVolf lonewolf at xs4all.nl
Wed Dec 7 12:29:08 UTC 2016


On 07-12-16 11:44, Bennett Piater wrote:
> On 12/07/2016 11:17 AM, Gregory Mullen wrote:
>> If the argument left is, I don't want (better checksum) because it's
>> shouldn't be thought of as a security check, and I want a security check.
>>
>> Why can't the requirement be PGP sig's are now required, and we drop the
>> checksum completely?
>
> Won't work because many upstreams don't provide signatures.
> Maybe giving a warning ("source authenticity was not verified due to
> lack of GPG signature") would work?
>

I vote to rename all *sums fields in PKGBUILD to :

this_is_just_a_checksum_and_does_no_authentication_at_all-xyzsums

Would it be possible to focus all this energy on ideas to make things 
safer instead of wrongly treating checksums as a security feature ?

LW


More information about the arch-general mailing list