Am 03.12.2016 um 06:27 schrieb fnodeuser: > > if an upstream does not sign the files, does not have https enabled, and/or refuses to take security and privacy seriously, sha512 must be used in the PKGBUILD files. But using and hash value without the possibility to verify the hashed files, adds no security. It provides a false sense of security instead. I agree that we should use a strong hash by default where it makes sense. But in the absense ob effective validation of upstream packages, this is meaningless.
Attachment:
signature.asc
Description: OpenPGP digital signature
