On 01/13/2014 02:49 AM, Rashif Ray Rahman wrote: > On 13 January 2014 00:58, Taylor Hornby <havoc@xxxxxxxxx> wrote: >> > If so, this should be fixed as soon as possible. How feasible would it >> > be? Could it be as simple as making a script that: >> > >> > 1. Finds the 'source' and 'md5sums' lines. >> > 2. Downloads the packages and checks the md5sums. >> > 3. Computes the SHA256sums, and adds them to the file. >> > >> > If there's anything I can do to help, let me know. > Makepkg supports MD5 and the SHAs. A PKGBUILD can have multiple > checksums, but it depends on the maintainer which of them they'd > prefer to use. You can get them to deprecate the practice of using > MD5-only PKGBUILDs. > > You're actually concerned about a part of the packaging process that > requires human discretion. It is up to the packager to verify that the > sources are good. They can proactively search for authentic checksums > and signatures. Yep, I misunderstood how it works. I thought the PKGBUILD was used on users' systems when they run "pacman -S truecrypt", when in fact the PKGBUILD is only used by the package maintainer to generate the binary packages, which they then sign. So it's not as bad as I thought, and moving to SHA256 doesn't fix the problem. The only solution is to convince the software sources (Mozilla, etc.) to sign the files they release. -- Taylor Hornby
