On Fri, Dec 09, 2016 at 03:15:34PM +0100, Bruno Pagani wrote: > Le 08/12/2016 à 01:57, Leonid Isaev a écrit : > > > On Thu, Dec 08, 2016 at 10:34:59AM +1000, Allan McRae wrote: > >> On 08/12/16 08:51, sivmu wrote: > >>> Am 07.12.2016 um 10:49 schrieb Allan McRae: > >>>>> ... > >>>>> I advocate keeping md5sum as the default because it is broken. If I see > >>>>> someone purely verifying their sources using md5sum in a PKGBUILD (and > >>>>> not pgp signature), I know that they have done nothing to actually > >>>>> verify the source themselves. > >>>>> ... > >>> That is a very dangerous assumtion. I know for a fact that many > >>> maintainers used md5 for verification because it is the default. > >>> There are/were maintainers that downloaded the source, verified the pgp > >>> signature and generated the md5 checksum to include it in the PKGBUILD > >>> (without the pgp signature) > >> Idiots... so again using md5sums as the default saves me from people > >> who don't know how to package. > > Actually, this might not be so crazy. Sometimes you get a signed sha*sums file > > instead of signed source, so you don't include the key in validpgpkeys array. > > For example, when building Firefox, I have to manually verify the sig on > > SHA512SUMS and then paste the sha512sum into PKGBUILD. But this is because I'm > > paranoid... I guess one can simply do makepkg -g, hmm. > > > > Hence the question, why have this flag at all? And should it be possible to > > specify an external (signed) hash-file in PKGBUILD? > > > > Thx, > > L. > > What is wrong with adding the sha*sum file and its signature in the > source array and then use validpgpkeys? And then what? -- Leonid Isaev
