[arch-general] Stronger Hashes for PKGBUILDs

Allan McRae allan at archlinux.org
Thu Dec 8 00:34:59 UTC 2016


On 08/12/16 08:51, sivmu wrote:
> Am 07.12.2016 um 10:49 schrieb Allan McRae:
>> > ...
>> > I advocate keeping md5sum as the default because it is broken.  If I see
>> > someone purely verifying their sources using md5sum in a PKGBUILD (and
>> > not pgp signature), I know that they have done nothing to actually
>> > verify the source themselves.
>> > ...
> That is a very dangerous assumtion. I know for a fact that many
> maintainers used md5 for verification because it is the default.
> There are/were maintainers that downloaded the source, verified the pgp
> signature and generated the md5 checksum to include it in the PKGBUILD
> (without the pgp signature)

Idiots...  so again using md5sums as the default saves me from people
who don't know how to package.

A


More information about the arch-general mailing list