I wish the package-query maintainers would stop hard coding the pacman version in their PKGBUILD as requirements. It means that every time there's a minor release of pacman, updating breaks for the 6 hours it takes the AUR guys to catch up.
yaourt & co. are very useful when you have to build packages with tons of dependencies. I had to build the 32-bit gstreamer stuff from AUR for some Wine work recently, and it saved me tons of time. Just remember to set --noconfirm or it'll ask you to confirm a dozen things for every package :)
A bunch of AUR packages, like Yaourt itself, download their sources over HTTP and verify them with MD5, so even if you trust the AUR maintainer you have no idea if you're getting the same file they did.
It's sad that makepkg still uses MD5 by default in this day and age because "it's faster".
I assure you Yaourt doesn't have an .asc signature either.
They should be using SHA-256, or Blake 2 if they think the extra seconds spent verifying matter, but insisting on using MD5 is pretty much going out of your way to increase your attack surface. There is no reason to use it in a modern system.
> I assure you Yaourt doesn't have an .asc signature either.
That's yaourt's problem, not makepkg's or the AUR's.
> They should be using SHA-256, or Blake 2 if they think the extra seconds spent verifying matter, but insisting on using MD5 is pretty much going out of your way to increase your attack surface.
It doesn't matter what algorithm you use, file hashes are not a security feature. Use GPG!
The widespread use of MD5 in AUR is because that is the default in makepkg, making it both AUR's and makepkg's "problem".
> It doesn't matter what algorithm you use
Of course it matters, they have different guarantees. A secure hash would at least guarantee that the file you get is the same one the packager got, MD5 doesn't. They are refusing to use strictly better alternatives out of pure stubbornness.
