On 05/10/2018 05:46 AM, Leonid Isaev via arch-general wrote: > In this regard, I don't understand why we need checksums at all? If upstream: > (1) signes source with GPG, it will take care of both integrity and > authenticity, so no need for hashes; > (2) doesn't provide signatures, rely on gzip/bzip2/xz CRC. It is not > cryptographically secure, but we don't need that anyway. > Hence, we can substantially simplify makepkg code... makepkg --skippgpcheck without checksum integrity this would potentially result in corrupted, malformed downloads that aren't caught. Also a check which tells you the file has a bad signature *because the download is malformed* is sort of a weird user experience, and it might not be obvious you should try redownloading. -- Eli Schwartz Bug Wrangler and Trusted User
Attachment:
signature.asc
Description: OpenPGP digital signature
