[arch-general] Stronger Hashes for PKGBUILDs

Leonid Isaev leonid.isaev at jila.colorado.edu
Mon May 14 00:11:09 UTC 2018

On Sun, May 13, 2018 at 08:19:19PM +0200, Neven Sajko via arch-general wrote:
> On 13 May 2018 at 20:11, Neven Sajko <nsajko at gmail.com> wrote:
> > I do agree that using md5 is absurd, ...
> To clarify, md5 *is* unsecure and is even slower or not significantly
> faster than hashes from the Keccak and BLAKE2 families; using
> signatures would be a plus but signatures are not an argument for md5.

It is trivial to enable blake2 support in makepkg using b2sum(1) from the
coreutils package. Currently, I only saw gentoo using it but I didn't do
proper research on this...

Yes, md5 is almost as good these days as crc32... It is ok if the sources are
gpg-signed, but not on its own.

Leonid Isaev

More information about the arch-general mailing list