On Thu, Dec 08, 2016 at 10:34:59AM +1000, Allan McRae wrote: > On 08/12/16 08:51, sivmu wrote: > > Am 07.12.2016 um 10:49 schrieb Allan McRae: > >> > ... > >> > I advocate keeping md5sum as the default because it is broken. If I see > >> > someone purely verifying their sources using md5sum in a PKGBUILD (and > >> > not pgp signature), I know that they have done nothing to actually > >> > verify the source themselves. > >> > ... > > That is a very dangerous assumtion. I know for a fact that many > > maintainers used md5 for verification because it is the default. > > There are/were maintainers that downloaded the source, verified the pgp > > signature and generated the md5 checksum to include it in the PKGBUILD > > (without the pgp signature) > > Idiots... so again using md5sums as the default saves me from people > who don't know how to package. Actually, this might not be so crazy. Sometimes you get a signed sha*sums file instead of signed source, so you don't include the key in validpgpkeys array. For example, when building Firefox, I have to manually verify the sig on SHA512SUMS and then paste the sha512sum into PKGBUILD. But this is because I'm paranoid... I guess one can simply do makepkg -g, hmm. Hence the question, why have this flag at all? And should it be possible to specify an external (signed) hash-file in PKGBUILD? Thx, L. -- Leonid Isaev
