[arch-general] Stronger Hashes for PKGBUILDs

Eli Schwartz eschwartz at archlinux.org
Thu May 10 11:12:16 UTC 2018

On 05/10/2018 05:46 AM, Leonid Isaev via arch-general wrote:
> In this regard, I don't understand why we need checksums at all? If upstream:
> (1) signes source with GPG, it will take care of both integrity and
>     authenticity, so no need for hashes; 
> (2) doesn't provide signatures, rely on gzip/bzip2/xz CRC. It is not
>     cryptographically secure, but we don't need that anyway.
> Hence, we can substantially simplify makepkg code...

makepkg --skippgpcheck

without checksum integrity this would potentially result in corrupted,
malformed downloads that aren't caught.

Also a check which tells you the file has a bad signature *because the
download is malformed* is sort of a weird user experience, and it might
not be obvious you should try redownloading.

Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20180510/d181e592/attachment.asc>

More information about the arch-general mailing list