Am Montag 03 August 2009 11:06:37 schrieb Roman Kyrylych: > >> 2) Arch integrity check policy. This is the default checksum produced > >> with "makepkg -g". Stick with md5sum or go to sha256? I don't care but > >> md5sum has collisions so maybe sha256 is the way to go. > > > > Afaik md5sum is good enough for download verification. But I don't really > > care as long as we could use both. > > I think md5sum collisions are more security-related stuff, > and for security we need signed packages anyway. > When speaking about checking package integrity > - md5sum does its jub fine. > So I see no benefit in moving to sha256.
That's what I meant. Its very unlikely that you download a broken package due to networking problems which has the same md5sum and is also a valid tar.gz. -- Pierre Schmitz, http://users.archlinux.de/~pierre
