On Sat, Dec 3, 2016 at 3:27 AM, fnodeuser <subscription@xxxxxxxxxxxx> wrote: > https://lists.archlinux.org/pipermail/arch-dev-public/2016-November/028492.html > > i have a few things to add to this. > > the message digests at the download page for the .iso file, must change to sha256 and sha512 ones, or to a sha512 one. > > if an upstream does not sign the files, does not have https enabled, and/or refuses to take security and privacy seriously, sha512 must be used in the PKGBUILD files. > > in the cases of upstreams that use md5 and/or sha1 message digests, those will be added in a second ALGOsums= line under the sha512sums= line. if they use md5 and sha1, then sha1sums must be used for the second ALGOsums= line. Once again I must say thanks, fnodeuser.
