On 1/23/20 8:32 AM, Giancarlo Razzolini wrote: > Em janeiro 22, 2020 23:30 Eli Schwartz escreveu: >> So ultimately that is what this discussion will always devolve to: >> >> - Do we want to ensure TOFU? > > Yes. > >> - Do we want to give PKGBUILDs the default black mark "uses md5sums >> because maintainer doesn't care about researching sources"? >> > > No. Encouraging best packaging practices can and should be done right > from the start. > > This discussion is pointless though. Let's continue to use md5sums until > it's completely broken, then we can switch to something else.
Then I'm sure you'll be delighted to know that the last time this discussion was brought up (a couple years ago?) Allan said he wanted to add "cksum" support and switch to that for a default. Rationale: both md5sum and cksum are already completely broken, but no one deludes themselves when they see "cksum" into thinking that it is anything but deliberate, and no one deludes themselves into thinking that there is any possibility it is secure. (The same thing is true of md5sum, both that its presence in makepkg is deliberate, and that it's not even intended to be secure. The difference is that with md5sum, people can lie to themselves about both.) And, sure enough, someone brought up the discussion again, and, sure enough, Allan has fulfilled on his promise with the patch submission which is a response to this thread: "makepkg: add CRC checksums and set these to be the default" -- Eli Schwartz Bug Wrangler and Trusted User
signature.asc
Description: OpenPGP digital signature
