checksums and message digests are not the same thing.[1] checksums are not suitable for integrity verification, and the best (meaning, at the time of writing and for the foreseeable future, most secure), currently supported cryptographic hash function algorithm (that is sha512 in AL's case), must be used to compute the message digests of the files. message digests are one of the things that we can and must use for security. not all upstreams have https enabled and not all of them sign their files with gpg. it was because of me that the 'Use gpg signatures and https sources' task was added to the todo list.[2][3][4] these things must be checked by the users also, not only by the package maintainers. i check everything, most of you check nothing. you just do 'pacman -Syu'. let us start with firefox's PKGBUILD file for the first example. you are using sha256mds instead of sha512mds. you can see at https://ftp.mozilla.org/pub/firefox/releases/50.0.2/, that there are 3 files, KEY, SHA512SUMS, and SHA512SUMS.asc. that is one example where you are using a smaller digest size than upstream, that cannot be verified with the signature. another example is nmap's PKGBUILD file. you continued to use sha1mds instead of sha512mds.[5] in Gentoo they use 3 mds and in Debian they use 2 mds (for all packages, regardless of what upstreams do or do not do (in Debian's case they sign the files containing the mds)).[6][7] there are a few package maintainers who insist on using and/or are still using only a part of the commit or tag hash. the whole commit or tag hash must be used, always. the refusal to future-proof.[8] i talked with the lsof upstream. he told me that he has retired, that he is old, and that he might stop maintaining it. it is unlikely that he will create a new keypair any time soon and he might never do that. another bad thing that many AL team members do, is connecting to irc servers without using tls and certificate verification. that is all for now. _ [1] https://en.wikipedia.org/wiki/Checksum, https://en.wikipedia.org/wiki/Cryptographic_hash_function [2] https://bugs.archlinux.org/task/51579 [3] https://lists.archlinux.org/pipermail/arch-dev-public/2016-October/028416.html [4] https://bugs.archlinux.org/index.php?opened=23845&status[]=, https://bugs.archlinux.org/index.php?opened=23412&status[]=, and https://bugs.archlinux.org/index.php?opened=23101&status[]= [5] https://nmap.org/dist/sigs/nmap-7.31.tar.bz2.digest.txt [6] https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/firefox/Manifest [7] https://ftp.acc.umu.se/debian/pool/main/f/firefox/firefox_50.0.2-1.dsc [8] https://bugs.archlinux.org/task/50482