[arch-devops] Arch Linux ISO Checksums on archlinux.org
Hello, Linux Mint had a security breach [1] and was serving an infected ISO. I think this would be a good moment for thinking about our Arch Linux Download-page on [2]. I recommend to change the checksums. MD5 and SHA1 are both broken.[3][4] What do you think about using SHA256 ( or even better SHA512 ) for this? Maybe we should also sign the ISO with a GPG-Key. I don't mean that we should remove the MD5 checksum but we should add some other checksum and sign the ISO. You can call me paranoid but I don't want too see such a security fail on archlinux.org Best regards, Chris Arch Linux Security Team [1] http://arstechnica.com/security/2016/02/linux-mint-hit-by-malware-infection-... [2] https://www.archlinux.org/download/ [3] http://www.mathstat.dal.ca/~selinger/md5collision/ [4] https://www.schneier.com/blog/archives/2015/10/sha-1_freestart.html
On Mon, 22 Feb 2016 16:22:40 +0100 Christian Rebischke <Chris.Rebischke@archlinux.org> wrote:
Hello, Linux Mint had a security breach [1] and was serving an infected ISO. I think this would be a good moment for thinking about our Arch Linux Download-page on [2]. I recommend to change the checksums. MD5 and SHA1 are both broken.[3][4]
What do you think about using SHA256 ( or even better SHA512 ) for this? Maybe we should also sign the ISO with a GPG-Key.
It already is signed.
I don't mean that we should remove the MD5 checksum but we should add some other checksum and sign the ISO.
You can call me paranoid but I don't want too see such a security fail on archlinux.org
Best regards,
Chris
Arch Linux Security Team
[1] http://arstechnica.com/security/2016/02/linux-mint-hit-by-malware-infection-... [2] https://www.archlinux.org/download/ [3] http://www.mathstat.dal.ca/~selinger/md5collision/ [4] https://www.schneier.com/blog/archives/2015/10/sha-1_freestart.html
On February 22, 2016 4:22:40 PM GMT+01:00, Christian Rebischke <Chris.Rebischke@archlinux.org> wrote:
Maybe we should also sign the ISO with a GPG-Key.
I don't mean that we should remove the MD5 checksum but we should add some other checksum and sign the ISO.
The ISO is actually signed, above the mentioned checksums [0] you can find the signature file [1]. Cheers, Levente [0] https://www.archlinux.org/download/ [1] https://www.archlinux.org/iso/2016.02.01/archlinux-2016.02.01-dual.iso.sig
On Mon, Feb 22, 2016 at 04:55:17PM +0100, Levente Polyak wrote:
On February 22, 2016 4:22:40 PM GMT+01:00, Christian Rebischke <Chris.Rebischke@archlinux.org> wrote:
Maybe we should also sign the ISO with a GPG-Key.
I don't mean that we should remove the MD5 checksum but we should add some other checksum and sign the ISO.
The ISO is actually signed, above the mentioned checksums [0] you can find the signature file [1].
Cheers, Levente
[0] https://www.archlinux.org/download/ [1] https://www.archlinux.org/iso/2016.02.01/archlinux-2016.02.01-dual.iso.sig
Sorry guys, there I was too fast and inattentive. But, however, what do you think about adding a stronger checksum to it? I know that a GPG-signatures + MD5 or SHA1 would be enough but I know enough people who just check the checksum and don't care about signatures. regards, chris
On 23/02, Christian Rebischke wrote:
On Mon, Feb 22, 2016 at 04:55:17PM +0100, Levente Polyak wrote:
On February 22, 2016 4:22:40 PM GMT+01:00, Christian Rebischke <Chris.Rebischke@archlinux.org> wrote:
Maybe we should also sign the ISO with a GPG-Key.
I don't mean that we should remove the MD5 checksum but we should add some other checksum and sign the ISO.
The ISO is actually signed, above the mentioned checksums [0] you can find the signature file [1].
Cheers, Levente
[0] https://www.archlinux.org/download/ [1] https://www.archlinux.org/iso/2016.02.01/archlinux-2016.02.01-dual.iso.sig
Sorry guys, there I was too fast and inattentive. But, however, what do you think about adding a stronger checksum to it? I know that a GPG-signatures + MD5 or SHA1 would be enough but I know enough people who just check the checksum and don't care about signatures.
The checksums aren't for security, and anyone who replaced the tarball could most likely change the checksum as well. -- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/
Mon, 22 Feb 2016 16:22:40 +0100 Christian Rebischke <Chris.Rebischke@archlinux.org>:
What do you think about using SHA256 ( or even better SHA512 ) for this? Maybe we should also sign the ISO with a GPG-Key.
The ISO is already signed: https://www.archlinux.org/iso/2016.02.01/archlinux-2016.02.01-dual.iso.sig Dunno how it's done though, I would have expected something around here: https://projects.archlinux.org/archiso.git/tree/configs/releng/build.sh#n204 ... perhaps it's done manually on upload. Also see https://bugs.archlinux.org/task/47775 and https://lists.archlinux.org/pipermail/arch-releng/2016-February/003634.html for a more universal/personal approach. --byte
participants (5)
-
Christian Rebischke
-
Doug Newgard
-
Jens Adam
-
Johannes Löthberg
-
Levente Polyak