On Tue, May 08, 2018 at 11:38:01PM -0400, Eli Schwartz via arch-general wrote:
When you say "still", that implies that there was any sort of effort to change that in the first place...
Fair enough :) I thought it's a slow natural process...
- not any sort of security check at all, they're there for CRC purposes, and using strong CRC is security theater because the maintainer probably just blindly ran updpkgsums without checking anything at all so they generated very strong fake hashes -- come back when you have PGP[1] which is actually security
In this case, even using gpg keys won't guarantee security because verifying a key via a side channel is not much easier than the hash.
- actively dangerous as people think strong checksums equals security, which makes them trust the sources even when they shouldn't; like security theater except used as a justification for the other extreme
Yes, but see [1] and [2]. At least with SHA hashes we are not so vulnerable. [1] http://cryptography.hyperlink.cz/2004/otherformats.html [2] https://www.mathstat.dal.ca/~selinger/md5collision
- better than nothing, and therefore very useful since it ensures that you at least rebuilt the same thing the maintainer did
No really, see just above. That is an old link, probably now forging .tar.gz files got much easier.
- very much security, because obviously the maintainer verifies sources out of band, and checksums are their way of telling us what the canonical sources are
If (s)he does, then there will be multiple hashes, from different sources, no?
As extensively discussed in several mailing list and forum threads, the best way to get security which everyone agrees on is to encourage upstream developers to PGP-sign their sources. I've done quite a bit of work on the existing TODO[1] which we have for implementing better PGP checks (and HTTPS for both privacy and TLS endpoint verification), in addition to providing the patchset[2] for makepkg (available in git master and awaiting the 5.1 release) which allows verifying git(1) signed commits/tags.
Thanks for your work! I didn't know about those links, will check them out. But ok, I see your point... Thanks, L. -- Leonid Isaev