Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#49670 - almost all of the PKGBUILD files of the packages in the official repositories must be corrected
Attached to Project:
Arch Linux
Opened by . (bugreport) - Saturday, 11 June 2016, 14:25 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 11 June 2016, 14:35 GMT
Opened by . (bugreport) - Saturday, 11 June 2016, 14:25 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 11 June 2016, 14:35 GMT
|
Detailsalmost all of the PKGBUILD files of the packages in the official repositories still use MD5 and SHA-1 message digests, and public key fingerprints are missing, even from GNU software PKGBUILDs.
if the upstream provides SHA-256 (or better) message digests, then those must be used, otherwise SHA-512 message digests must be used. FTP and HTTP sources must be avoided. HTTPS, other protocols that enable encrypted file transfers must be used. a lot of the upstream URLs are broken or lead to the old and abandoned websites or the scheme of the URLs isn't 'https://' for HTTPS-enabled websites. |
This task depends upon