On 08/12/16 08:51, sivmu wrote: > Am 07.12.2016 um 10:49 schrieb Allan McRae: >> > ... >> > I advocate keeping md5sum as the default because it is broken. If I see >> > someone purely verifying their sources using md5sum in a PKGBUILD (and >> > not pgp signature), I know that they have done nothing to actually >> > verify the source themselves. >> > ... > That is a very dangerous assumtion. I know for a fact that many > maintainers used md5 for verification because it is the default. > There are/were maintainers that downloaded the source, verified the pgp > signature and generated the md5 checksum to include it in the PKGBUILD > (without the pgp signature) Idiots... so again using md5sums as the default saves me from people who don't know how to package. A
