On 05/08/2018 11:53 PM, Leonid Isaev via arch-general wrote:
- not any sort of security check at all, they're there for CRC purposes, and using strong CRC is security theater because the maintainer probably just blindly ran updpkgsums without checking anything at all so they generated very strong fake hashes -- come back when you have PGP[1] which is actually security
In this case, even using gpg keys won't guarantee security because verifying a key via a side channel is not much easier than the hash.
I'm not sure what you mean. PGP is by its very nature very secure, you establish an ongoing relationship with the key holder and can verify many, many objects, like the entire release history instead of independently bootstrapping the TOFU (Trust On First Use) model with every new release. PGP keys are also far more likely to appear in multiple independently verifiable locations, you can embed them in your DNS records, post them on your blog, github profile, keybase.io proofs utilizing DNS as well as social media linkages, email footer (and signed email history) to establish a difficult-to-falsify history, or simply follow the PGP web of trust. -- Eli Schwartz Bug Wrangler and Trusted User