Am 03.12.2016 um 06:27 schrieb fnodeuser:
> > if an upstream does not sign the files, does not have https enabled, and/or > refuses to take security and privacy seriously, sha512 must be used in the > PKGBUILD files. But using and hash value without the possibility to verify the hashed files, adds no security. It provides a false sense of security instead. I agree that we should use a strong hash by default where it makes sense. But in the absense ob effective validation of upstream packages, this is meaningless.
signature.asc
Description: OpenPGP digital signature
