On 12/07/2016 10:49 AM, Allan McRae wrote:
I advocate keeping md5sum as the default because it is broken. If I see someone purely verifying their sources using md5sum in a PKGBUILD (and not pgp signature), I know that they have done nothing to actually verify the source themselves.
If sha2sums become default, I now know nothing. Did the maintainer of the PKGBUILD get that checksum from a securely distributed source from upstream? Had the source already been compromised upstream before the PKGBUILD was made? Now I am securely verifying the unknown.
But we don't care about that... we just want to feel warm and fuzzy with a false sense of security.
A
You are partly right. For a checksum CRC would be best. Fast and simple, as its meant as checksum, not as a hash. However if we drop the other hashes we loose the whole integrity for those cases that people already explained[1]. We all aggree that md5 as hash is broken. So possibly we should get our point of view into the direction that those hashes are not checksums, but rather integrity checks. Once again: This does not help in the very first place of downloading. But it helps on AUR where multiple users download the files and would get errors on wrong hashes (if the source got modified later or if a MITM occured). In those cases users can compare against the hash of others (maintainer) and at least verify that their source was the same (integrity). Also if you say that you can notice the people who do not care about security by using md5 you can pass the buck to this guy. But this does not solve anything. And on top there are still a LOT package on the official repositories that still use md5/sha1. And I really do not understand why, because those should be aware of the problem. We should not make the problem worse by using CRC. We should carefully understand when the integrity check helps. If if its not meant for integrity, the wiki is wrong, as it calls it integrity not checksum. There is no real valid argument about using lower security standards. Even if people might misunderstand the meaning of the hashes, they do not understand security at all. And those can still be helped with a good explanation of those checks on the wiki with a link to the GPG templates (see below). [1] https://lists.archlinux.org/pipermail/arch-general/2016-December/042737.html On 12/07/2016 11:17 AM, Gregory Mullen wrote:
If the argument left is, I don't want (better checksum) because it's shouldn't be thought of as a security check, and I want a security check.
Why can't the requirement be PGP sig's are now required, and we drop the checksum completely?
That is also what I suggest. If we only move GPG signed Packages to community, the whole situation will improve. A lot more upstream projects will then possibly try to use GPG if they want to make it into our (and possibly also other) distributions. What we need here is more action from the maintainer side. I've linked my templates for contacting upstream about using GPG. With those it would be really easy for them to understand what we need, why and how to accomplish it. We already agreed that we need to use GPG whenever possible, but we should also try to do our best to get upstream to do so. It is really simple. ~Nico