[pacman-dev] [PATCH 2/2] makepkg: add CRC checksums and set these to be the default

[Eli Schwartz]

On 1/22/20 9:18 PM, Allan McRae wrote:
> Checksums arrays should be filled with values provided by upstream.  We
> currently have md5 set as an unsecure default, and are constantly asked to
> change it to sha2.  However, just changing the default to a stronger checksum
> gives the user the impression that "makepkg -g" checksums are perfect.
> 
> Instead, change the default checksum to a CRC, to make it clear that any
> checksum generated purely by "makepkg -g" is not ideal.

One reason it is not ideal is due to the fact that in my testing, "time
cksum some-large-file" compared to "time md5sum some-large-file" took
nearly twice as long. In fact, md5sum, sha1sum and b2sum all took
roughly the same time to hash
/var/cache/makepkg/srcdest/firefox-72.0.2.source.tar.xz (302MB).

I mean, granted we're talking a wall clock time of:

0:00.49 for sha1
0:00.54 for md5
0:00.56 for b2
0:00.92 for ck

So these differences don't significantly impact the time spent
(regardless of which algorithm you use).

On the other hand, it feels silly to move to a slower algorithm.


(I would also like to point out for the record I am part of the group of
people who would prefer Trust On First Use, but I understand this is not
going to be discussed here anymore.)

-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20200123/1bd4c073/attachment.sig>