On 1/22/20 9:18 PM, Allan McRae wrote: > Checksums arrays should be filled with values provided by upstream. We > currently have md5 set as an unsecure default, and are constantly asked to > change it to sha2. However, just changing the default to a stronger checksum > gives the user the impression that "makepkg -g" checksums are perfect. > > Instead, change the default checksum to a CRC, to make it clear that any > checksum generated purely by "makepkg -g" is not ideal.
One reason it is not ideal is due to the fact that in my testing, "time cksum some-large-file" compared to "time md5sum some-large-file" took nearly twice as long. In fact, md5sum, sha1sum and b2sum all took roughly the same time to hash /var/cache/makepkg/srcdest/firefox-72.0.2.source.tar.xz (302MB). I mean, granted we're talking a wall clock time of: 0:00.49 for sha1 0:00.54 for md5 0:00.56 for b2 0:00.92 for ck So these differences don't significantly impact the time spent (regardless of which algorithm you use). On the other hand, it feels silly to move to a slower algorithm. (I would also like to point out for the record I am part of the group of people who would prefer Trust On First Use, but I understand this is not going to be discussed here anymore.) -- Eli Schwartz Bug Wrangler and Trusted User
signature.asc
Description: OpenPGP digital signature