[pacman-dev] [PATCH] makepkg: Change the default integrity check to sha256.

Sam Stuewe halosghost at archlinux.info
Fri Jun 6 10:20:02 EDT 2014

On 2014-06-06 07:20, Florian Bruhin wrote:
> I also found some constructs to automatically get a checksum file from
> upstream via curl/wget - is this an encouraged thing to do?
> Though this one probably isn't a good idea :D
> md5sums=(`wget -qO- $source | md5sum | cut -c -32`)

I might be able to speak to that one a bit. Several of the packages that 
use some of these constructs act more like VCS packages than standard 
packages (e.g., they have a pkgver() function). This type of construct 
is incredibly helpful because it allows the integrity check to be made 
without the packager having to manually grab the checksums each update. 
Plus, if the packager has done her job well, then such a method should 
be equally as secure as manually grabbing the checksums (the location 
from which the checksums would be grabbed is the same).

Admittedly, I have no idea if such a method is considered good practice, 
but it has seemed like a net positive to me.

One final note though, the quality of packages in the User Repository 
(and the methods therein) have little to no bearing on the packaging 
techniques in [core] and [extra]. Even if the method for fetching 
checksums above were widely used and considered to be a good idea, it is 
not one I can imagine being helpful in the dev-maintained repos.

All the best,
Sam Stuewe (HalosGhost)

More information about the pacman-dev mailing list