On Mon, 22 Feb 2016 16:22:40 +0100 Christian Rebischke <Chris.Rebischke@archlinux.org> wrote:
Hello, Linux Mint had a security breach [1] and was serving an infected ISO. I think this would be a good moment for thinking about our Arch Linux Download-page on [2]. I recommend to change the checksums. MD5 and SHA1 are both broken.[3][4]
What do you think about using SHA256 ( or even better SHA512 ) for this? Maybe we should also sign the ISO with a GPG-Key.
It already is signed.
I don't mean that we should remove the MD5 checksum but we should add some other checksum and sign the ISO.
You can call me paranoid but I don't want too see such a security fail on archlinux.org
Best regards,
Chris
Arch Linux Security Team
[1] http://arstechnica.com/security/2016/02/linux-mint-hit-by-malware-infection-... [2] https://www.archlinux.org/download/ [3] http://www.mathstat.dal.ca/~selinger/md5collision/ [4] https://www.schneier.com/blog/archives/2015/10/sha-1_freestart.html