FS#47141 - get rid of md5sums=() in PKGBUILD.proto and other files
Attached to Project:
Pacman
Opened by Max Bruckner (FSMaxB) - Saturday, 21 November 2015, 23:30 GMT
Last edited by Allan McRae (Allan) - Monday, 14 December 2015, 13:44 GMT
Opened by Max Bruckner (FSMaxB) - Saturday, 21 November 2015, 23:30 GMT
Last edited by Allan McRae (Allan) - Monday, 14 December 2015, 13:44 GMT
|
Details
The following files in /usr/share/pacman still use md5sums
for the array of file checksums:
PKGBUILD-rubygem.proto PKGBUILD-perl.proto PKGBUILD-bzr.proto PKGBUILD-split.proto PKGBUILD-vcs.proto PKGBUILD-haskell.proto PKGBUILD-hg.proto PKGBUILD-darcs.proto PKGBUILD-cvs.proto PKGBUILD-python.proto PKGBUILD.proto PKGBUILD-gnome.proto PKGBUILD-git.proto PKGBUILD-svn.proto This probably results in many new packages using md5 by default, which shouldn't be the case because it's been broken for a long time now. It would be better to use another hash function like sha512. I added a patch that does this. I can't seem to find all of the files listed above in the git source tree though, maybe they are generated? 
0001-Replace-md5sums-with-sha...
(5.1 KiB)
|
This task depends upon
Closed by Allan McRae (Allan)
Monday, 14 December 2015, 13:44 GMT
Reason for closing: Duplicate
Additional comments about closing: FS#12772
Monday, 14 December 2015, 13:44 GMT
Reason for closing: Duplicate
Additional comments about closing:
The case is different though, if no checksum provided by upstream was used, which I think is much more likely to happen for most AUR packages. And this is the case I want to cover with this change. This way it's at least possible to ensure with higher certainty that one has downloaded the same file as the packager.
FS#12772.FS#12772. The general idea is the same: Don't actively encourage the use of MD5.I hope this is properly reconsidered since the world has changed a lot since 2009.