On Thu, 19 Feb 2015 15:15:42 -0500 Mark Lee <mark@xxxxxxxxxxxx> wrote: > Salutations, > > After trying to build the mpv-0.8.0-1 and finding that the PKGBUILD's > checksum was incorrect, I filed a bug report. See > <https://bugs.archlinux.org/task/43882?project=5&cat%5B0%5D=33&string=mpv>. > > I filed it under "critical" since an incorrect checksum means that the > package was built from source that doesn't match upstream's source. I > was told it's not a critical issue and it was downgraded to medium. I'm > wondering why incorrect checksums aren't considered "critical". > > Regards, > Mark The checksum matched when the package was built or it wouldn't have built for the maintainer, either. This means it's not a security issue, the only way it could be considered critical. All it means is that upstream changed something, only really affecting people trying to build from the PKGBUILDs. Normally, I would make this low severity, as it really doesn't matter that much. Doug
