A bunch of AUR packages, like Yaourt itself, download their sources over HTTP and verify them with MD5, so even if you trust the AUR maintainer you have no idea if you're getting the same file they did.
It's sad that makepkg still uses MD5 by default in this day and age because "it's faster".
I assure you Yaourt doesn't have an .asc signature either.
They should be using SHA-256, or Blake 2 if they think the extra seconds spent verifying matter, but insisting on using MD5 is pretty much going out of your way to increase your attack surface. There is no reason to use it in a modern system.
> I assure you Yaourt doesn't have an .asc signature either.
That's yaourt's problem, not makepkg's or the AUR's.
> They should be using SHA-256, or Blake 2 if they think the extra seconds spent verifying matter, but insisting on using MD5 is pretty much going out of your way to increase your attack surface.
It doesn't matter what algorithm you use, file hashes are not a security feature. Use GPG!
The widespread use of MD5 in AUR is because that is the default in makepkg, making it both AUR's and makepkg's "problem".
> It doesn't matter what algorithm you use
Of course it matters, they have different guarantees. A secure hash would at least guarantee that the file you get is the same one the packager got, MD5 doesn't. They are refusing to use strictly better alternatives out of pure stubbornness.
