Chris White wrote:
Well, the problem that occurs here is the verification process. With MD5, you can hit most upstream sites, and they'll have an MD5SUM avaliable that you can authenticate against.
Well if you care enough to verify this, you can easily create an md5sum of the fetched distfile yourself, and compare that with upstream :) Of course, if you want to verify digests of random packages without wanting to actually download and use them, then you would miss MD5 in the manifest, but how likely is that?
-- Vlastimil Babka (Caster) Gentoo/Java -- gentoo-dev@gentoo.org mailing list
