[pacman-dev] [PATCH 2/2] makepkg: add CRC checksums and set these to be the default
Allan McRae
allan at archlinux.org
Fri Jan 24 04:56:34 UTC 2020
On 24/1/20 12:37 pm, Eli Schwartz wrote:
> On 1/22/20 9:18 PM, Allan McRae wrote:
>> Checksums arrays should be filled with values provided by upstream. We
>> currently have md5 set as an unsecure default, and are constantly asked to
>> change it to sha2. However, just changing the default to a stronger checksum
>> gives the user the impression that "makepkg -g" checksums are perfect.
>>
>> Instead, change the default checksum to a CRC, to make it clear that any
>> checksum generated purely by "makepkg -g" is not ideal.
>
> One reason it is not ideal is due to the fact that in my testing, "time
> cksum some-large-file" compared to "time md5sum some-large-file" took
> nearly twice as long. In fact, md5sum, sha1sum and b2sum all took
> roughly the same time to hash
> /var/cache/makepkg/srcdest/firefox-72.0.2.source.tar.xz (302MB).
>
> I mean, granted we're talking a wall clock time of:
>
> 0:00.49 for sha1
> 0:00.54 for md5
> 0:00.56 for b2
> 0:00.92 for ck
>
> So these differences don't significantly impact the time spent
> (regardless of which algorithm you use).
>
> On the other hand, it feels silly to move to a slower algorithm.
Well... we hope that no-one will ever use this algorithm!
> (I would also like to point out for the record I am part of the group of
> people who would prefer Trust On First Use, but I understand this is not
> going to be discussed here anymore.)
There is nothing stopping anyone adding sha512sums=() to their PKGBUILD.
Running "makepkg -g" only pipes out the default when nothing else is in
the PKGBUILD.
More information about the pacman-dev
mailing list