From c3852ff42569542b787d9e49289f5358ad22f900 Mon Sep 17 00:00:00 2001
From: Allan McRae <allan@archlinux.org>
Date: Thu, 23 Jan 2020 12:04:28 +1000
Subject: Note that checksums from "makepkg -g" are not ideal

Generating checksums with "makepkg -g" only determines that the user of a
PKGBUILD has the same file as the packager (assuming no collision).  This
means an upstream source could be maliciously changed and passed on as valid
by a PKGBUILD.  To avoid this, it is essential that any checksums used in
a PKGBUILD are as provided by upstream.

Signed-off-by: Allan McRae <allan@archlinux.org>
---
 doc/PKGBUILD.5.asciidoc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/doc/PKGBUILD.5.asciidoc b/doc/PKGBUILD.5.asciidoc
index ef53c0ee..4c4c6df5 100644
--- a/doc/PKGBUILD.5.asciidoc
+++ b/doc/PKGBUILD.5.asciidoc
@@ -152,7 +152,9 @@ contain whitespace characters.
 	file integrity during subsequent builds. If 'SKIP' is put in the array
 	in place of a normal hash, the integrity check for that source file will
 	be skipped. To easily generate md5sums, run ``makepkg -g >> PKGBUILD''.
-	If desired, move the md5sums line to an appropriate location.
+	If desired, move the md5sums line to an appropriate location.  Note that
+	checksums generated by "makepkg -g" should be verified using checksum
+	values provided by the software developer.
 
 *sha1sums, sha224sums, sha256sums, sha384sums, sha512sums, b2sums (arrays)*::
 	Alternative integrity checks that makepkg supports; these all behave
-- 
cgit v1.2.3-54-g00ecf