On Wed, Dec 07, 2016 at 01:58:16AM -0800, Gregory Mullen wrote: > > I advocate keeping md5sum as the default because it is broken. If I see > someone purely verifying their sources using md5sum in a PKGBUILD (and > not pgp signature), I know that they have done nothing to actually > verify the source themselves. > > I advocate making the default house construction straw... Said the wolf to > the three little pigs. > > Advocating for MD5 as a "this package is insecure" warning flag makes NO > sense at all. Especially when if the package is secure (because the > maintainer verified the PGP sig, and then changed to shaXXX) you still no > nothing new. But don't say; MD5 is good because I know it's broken, so I > know the maintainer didn't do their job? > > Either validate the PGP keys, or don't. But don't suggest keeping a broken > system because... why again? So you can learn nothing? I think you misunderstood Allan. What he says is that by default makepkg provides only a protection against broken http links at best. If a maintainer wants security, he must take care of it explicitly. I don't see why this is a bad idea... Cheers, L. -- Leonid Isaev
