Am 03.12.2016 um 06:27 schrieb fnodeuser:

> 
> if an upstream does not sign the files, does not have https enabled, and/or 
> refuses to take security and privacy seriously, sha512 must be used in the 
> PKGBUILD files.

But using and hash value without the possibility to verify the hashed
files, adds no security. It provides a false sense of security instead.

I agree that we should use a strong hash by default where it makes
sense. But in the absense ob effective validation of upstream packages,
this is meaningless.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to