From 97ba4252b43323b2e7271e8069d55876c51df4a9 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@mengyan1223.wang>
Date: Mon, 18 Oct 2021 18:47:42 +0800
Subject: [PATCH] building-notes: MD5 can be used to detect stealth update

---
 introduction/important/building-notes.xml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/introduction/important/building-notes.xml b/introduction/important/building-notes.xml
index 2c19f26036..80af0a42a8 100644
--- a/introduction/important/building-notes.xml
+++ b/introduction/important/building-notes.xml
@@ -112,8 +112,13 @@ bunzip2 -v patchname.bz2</userinput></screen>
 <screen><userinput>md5sum <replaceable>&lt;name_of_downloaded_file&gt;</replaceable></userinput></screen>
 
     <para>MD5 is not cryptographically secure, so the md5sums are only
-    provided for detecting random errors or truncations introduced during
-    network transfer.  There is no <quote>100%</quote> secure way to make
+    provided for detecting unmalicious changes to the file content.  For
+    example, an error or truncation introduced during network transfer, or
+    a <quote>stealth</quote> update to the package from the upstream
+    (updating the content of a released tarball instead of making a new
+    release properly).</para>
+
+    <para>There is no <quote>100%</quote> secure way to make
     sure the genuity of the source files.  Assuming the upstream is managing
     their website correctly (the private key is not leaked and the domain is
     not hijacked), and the trust anchors have been set up correctly using