On 12/16/2016 09:59 AM, Levente Polyak wrote:
On 12/16/2016 06:03 AM, Eli Schwartz via arch-general wrote:
On 12/15/2016 08:35 PM, fnodeuser wrote:
what i said is that the users must check the integrity of the sources too. it is not something that only the package maintainers must do. the users must check the PKGBUILD files to compare message digests and key fingerprints.
You didn't say that. But now that you do say that, I can tell you that you are wrong. On no operating system, does anyone care about that. Only as a byproduct of source-based operating systems, do some (a small minority of) people even check that whether they care or not.
The maintainers are maintainers because we trust them to be honest. And if they aren't honest, you are an absolute fool for thinking you can check the source in order to catch malicous modifications in the compiled binaries.
I agree, there is no point why users _must_ check the integrity of sources too. Essentially that's what a maintainer should do and you need to trust a maintainer to some degree anyway. That doesn't mean nobody should, if a particular group of users wants to, they can. But it is certainly nothing users _must_ do. In the AUR, it's of cause a bit different as you have much less trust in an arbitrary maintainer and want to take a look at the PKGBUILD itself and also figure out if that's really the right upstream.
And for those who want to check the sources, strong hashes are important. We are talking about integrity, not checksums. It was intended as checksum, fine. But the integrity ability of those hashes is ALSO highly important, not only the checksum ability. People can check all sources, not only the final (reproduceable) build. We all understood that it would not help the risk of downloading malicious sources in first place (TOFU). But it would help in the other (already multiple times described) scenarios. And that is what we are talking about. We are not talking about checksums. And it would not hurt in any way to make sha512 the default, **we can only benefit from that.**