[arch-general] Stronger Hashes for PKGBUILDs
Diego Viola
diego.viola at gmail.com
Fri Dec 16 16:46:15 UTC 2016
On Sat, Dec 3, 2016 at 3:27 AM, fnodeuser <subscription at binkmail.com> wrote:
> https://lists.archlinux.org/pipermail/arch-dev-public/2016-November/028492.html
>
> i have a few things to add to this.
>
> the message digests at the download page for the .iso file, must change to sha256 and sha512 ones, or to a sha512 one.
>
> if an upstream does not sign the files, does not have https enabled, and/or refuses to take security and privacy seriously, sha512 must be used in the PKGBUILD files.
>
> in the cases of upstreams that use md5 and/or sha1 message digests, those will be added in a second ALGOsums= line under the sha512sums= line. if they use md5 and sha1, then sha1sums must be used for the second ALGOsums= line.
Once again I must say thanks, fnodeuser.
More information about the arch-general
mailing list