repos providing only md5 sums

Thomas Penteker tek at
Fri Apr 1 23:21:44 UTC 2016

* Thomas Penteker (tek at wrote:
> Hello,
> (...)

I forgot to add, that we can make core/ports download the keys on each build
to make sure that they are current (vs. distributing them via the ports tree).
This assumes that they are sent via a host with a valid certificate.

We could also add multiple sources and compare multiple versions but paranoia
can get really messy really soon (what about modified cat/sha*/md5sum binaries
during comparison etc.).


More information about the CRUX mailing list