On Sun, May 13, 2018 at 08:19:19PM +0200, Neven Sajko via arch-general wrote: > On 13 May 2018 at 20:11, Neven Sajko <nsajko@xxxxxxxxx> wrote: > > I do agree that using md5 is absurd, ... > > To clarify, md5 *is* unsecure and is even slower or not significantly > faster than hashes from the Keccak and BLAKE2 families; using > signatures would be a plus but signatures are not an argument for md5. It is trivial to enable blake2 support in makepkg using b2sum(1) from the coreutils package. Currently, I only saw gentoo using it but I didn't do proper research on this... Yes, md5 is almost as good these days as crc32... It is ok if the sources are gpg-signed, but not on its own. Cheers, -- Leonid Isaev
