On 07/12/16 19:58, Gregory Mullen wrote: >> But we don't care about that... we just want to feel warm and fuzzy with > a false sense of security. > > No one is suggesting sha*sum replace, and actual security/authentication > check. Only that maybe it's not a good idea to use a system we all know is > broken. > If everyone knows it is broken, upstream will not be providing md5sums to compare against and then and PKGBUILD maintainer that has verified the source files using upstream provided hashes will not use md5sum. All we do by changing away from md5sum as the default is hiding the large number of packages that do nothing to verify upstream source integrity. In fact, I am making CRC the default. A