[arch-general] Stronger Hashes for PKGBUILDs
Eli Schwartz
eschwartz at archlinux.org
Thu May 10 11:12:16 UTC 2018
On 05/10/2018 05:46 AM, Leonid Isaev via arch-general wrote:
> In this regard, I don't understand why we need checksums at all? If upstream:
> (1) signes source with GPG, it will take care of both integrity and
> authenticity, so no need for hashes;
> (2) doesn't provide signatures, rely on gzip/bzip2/xz CRC. It is not
> cryptographically secure, but we don't need that anyway.
> Hence, we can substantially simplify makepkg code...
makepkg --skippgpcheck
without checksum integrity this would potentially result in corrupted,
malformed downloads that aren't caught.
Also a check which tells you the file has a bad signature *because the
download is malformed* is sort of a weird user experience, and it might
not be obvious you should try redownloading.
--
Eli Schwartz
Bug Wrangler and Trusted User
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20180510/d181e592/attachment.asc>
More information about the arch-general
mailing list