diff options
author | Allan McRae <allan@archlinux.org> | 2020-01-23 03:04:28 +0100 |
---|---|---|
committer | Allan McRae <allan@archlinux.org> | 2020-01-28 01:45:42 +0100 |
commit | c3852ff42569542b787d9e49289f5358ad22f900 (patch) | |
tree | 51bb720b2a2f1dd4f997f7a0c1f5e9c9335458b3 /doc/PKGBUILD.5.asciidoc | |
parent | e54617c7d554e0c14c039432b5f7bef66e43769c (diff) | |
download | pacman-c3852ff42569542b787d9e49289f5358ad22f900.tar.gz pacman-c3852ff42569542b787d9e49289f5358ad22f900.tar.xz |
Note that checksums from "makepkg -g" are not ideal
Generating checksums with "makepkg -g" only determines that the user of a
PKGBUILD has the same file as the packager (assuming no collision). This
means an upstream source could be maliciously changed and passed on as valid
by a PKGBUILD. To avoid this, it is essential that any checksums used in
a PKGBUILD are as provided by upstream.
Signed-off-by: Allan McRae <allan@archlinux.org>
Diffstat (limited to 'doc/PKGBUILD.5.asciidoc')
-rw-r--r-- | doc/PKGBUILD.5.asciidoc | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/doc/PKGBUILD.5.asciidoc b/doc/PKGBUILD.5.asciidoc index ef53c0ee..4c4c6df5 100644 --- a/doc/PKGBUILD.5.asciidoc +++ b/doc/PKGBUILD.5.asciidoc @@ -152,7 +152,9 @@ contain whitespace characters. file integrity during subsequent builds. If 'SKIP' is put in the array in place of a normal hash, the integrity check for that source file will be skipped. To easily generate md5sums, run ``makepkg -g >> PKGBUILD''. - If desired, move the md5sums line to an appropriate location. + If desired, move the md5sums line to an appropriate location. Note that + checksums generated by "makepkg -g" should be verified using checksum + values provided by the software developer. *sha1sums, sha224sums, sha256sums, sha384sums, sha512sums, b2sums (arrays)*:: Alternative integrity checks that makepkg supports; these all behave |