On Mon, Jul 18, 2011 at 3:52 AM, Kerrick Staley <[email protected]> wrote: > This will just require a SHA256 in addition to an MD5 (if one is even > present), that's all (for some reason I thought it was more complicated than > that, but you're right). MD5s haven't exactly been broken for our purposes > (there are no working preimage attacks against MD5 yet), but there is little > reason to expect that it will stay this way for much longer. So yeah, > scratch the flag and the corresponding config option, but we should also > make SHA256 a requirement at some point.
What do you mean by "requirement"? All the tools we ship will provide it, but since we aren't even verifying it yet in pacman code, that will need to be added first. -Dan
