On 12/08/2016 01:34 AM, Allan McRae wrote: > On 08/12/16 08:51, sivmu wrote: >> Am 07.12.2016 um 10:49 schrieb Allan McRae: >>>> ... >>>> I advocate keeping md5sum as the default because it is broken. If I see >>>> someone purely verifying their sources using md5sum in a PKGBUILD (and >>>> not pgp signature), I know that they have done nothing to actually >>>> verify the source themselves. >>>> ... >> That is a very dangerous assumtion. I know for a fact that many >> maintainers used md5 for verification because it is the default. >> There are/were maintainers that downloaded the source, verified the pgp >> signature and generated the md5 checksum to include it in the PKGBUILD >> (without the pgp signature) > > Idiots... so again using md5sums as the default saves me from people > who don't know how to package. > > A > Calling those idiots is not the way to solve this problem. The fact is that if we use a (strong) hash and multiple people compare their hash against that, we can ensure that everyone downloads the same sources. Setting the default to sha512sums helps in more cases than using md5 as "bad karma" flag does. Did it ever help you that you saw someone using md5? Or wouldn't it be better to guide them into the right direction by a) using sha512sums as default and b) adding a warning when no https and gpg is used? I think we should at least implement those warnings, no matter what hash we use. Our main goal is to have every sources signed with gpg and downloaded by https. Is there any voting system that we have so that we can also democratically vote for stronger hashes? It seems to me that the majority (who spoke up on the list) is for stronger hashes. All technical facts have been said and we should come to a final agreement now. ~Nico
Attachment:
signature.asc
Description: OpenPGP digital signature
