On 01/12/2014 02:58 AM, Rashif Ray Rahman wrote: > On 12 January 2014 14:09, Taylor Hornby <havoc@xxxxxxxxx> wrote: >> Are there other packages still being verified with MD5? Can we fix them >> too? I'll gladly donate my time if it's not something that can be automated. > > Of the 4890 base packages shown by ABS, 2988 are MD5-only. That is > 61%, or more than half. > Wow, that's quite a lot. Do I understand correctly that the hashes are relied on for security? In other words, is it the package (containing the PKGBUILD) that's signed, and once it's verified, it's the PKGBUILD's responsibility to check the integrity of the files it needs? If so, this should be fixed as soon as possible. How feasible would it be? Could it be as simple as making a script that: 1. Finds the 'source' and 'md5sums' lines. 2. Downloads the packages and checks the md5sums. 3. Computes the SHA256sums, and adds them to the file. If there's anything I can do to help, let me know. -- Taylor Hornby
