On 24/1/20 12:37 pm, Eli Schwartz wrote: > On 1/22/20 9:18 PM, Allan McRae wrote: >> Checksums arrays should be filled with values provided by upstream. We >> currently have md5 set as an unsecure default, and are constantly asked to >> change it to sha2. However, just changing the default to a stronger checksum >> gives the user the impression that "makepkg -g" checksums are perfect. >> >> Instead, change the default checksum to a CRC, to make it clear that any >> checksum generated purely by "makepkg -g" is not ideal. > > One reason it is not ideal is due to the fact that in my testing, "time > cksum some-large-file" compared to "time md5sum some-large-file" took > nearly twice as long. In fact, md5sum, sha1sum and b2sum all took > roughly the same time to hash > /var/cache/makepkg/srcdest/firefox-72.0.2.source.tar.xz (302MB). > > I mean, granted we're talking a wall clock time of: > > 0:00.49 for sha1 > 0:00.54 for md5 > 0:00.56 for b2 > 0:00.92 for ck > > So these differences don't significantly impact the time spent > (regardless of which algorithm you use). > > On the other hand, it feels silly to move to a slower algorithm.
Well... we hope that no-one will ever use this algorithm! > (I would also like to point out for the record I am part of the group of > people who would prefer Trust On First Use, but I understand this is not > going to be discussed here anymore.) There is nothing stopping anyone adding sha512sums=() to their PKGBUILD. Running "makepkg -g" only pipes out the default when nothing else is in the PKGBUILD.