On Thu, May 10, 2018 at 10:06:08AM +0200, NicoHood wrote:
I really like you effort on stronger hashes. I totally aggree with you that we need those, if we can't have GPG signatures by the maintainers. Hashes just help in less usecases than GPG signatures, of course, but they do.
Currently, about 55% of [core] and 31% of [extra] packages make use of validpgpkeys. In [community] it should be even less. So, it is still a long way to go while all PKGBUILDs use GPG-verified sources... I agree with others that using a single sha256sum instead of md5sum offers questionable security benefit, but at least it protects against future tampering with the src by an attacker who knows about MD5 collisions.
Unfortunately I made the experience, that this discussion is useless here and you rather start helping with GPG signatures for every package. If you want to put effort into this topic, which I really appreciate, please directly go for GPG signatures, otherway it will be just a frustrating discussion for you, sadly.
There are only about 13% of packages in both [core] and [extra] that use MD5 -- a relatively small percentage. Yes, replacing those with a stronger hash is a stop-gap measure, but it involves no maintainance overhead. When you brought up this point last December, I didn't know that it is possible to have concurrent CRC and MD5 collisions (ar at least they are difficult to find). But since then, I did some homework and it indeed seems quite easy these days. Therefore, using MD5 is no better than having SKIP. In this regard, I don't understand why we need checksums at all? If upstream: (1) signes source with GPG, it will take care of both integrity and authenticity, so no need for hashes; (2) doesn't provide signatures, rely on gzip/bzip2/xz CRC. It is not cryptographically secure, but we don't need that anyway. Hence, we can substantially simplify makepkg code...
What I can recommend to you for this is to write to upstream projects who don't use GPG signatures yet. Explain them why its important and help them to improve their software release security. I made the experience that quite a lot of projects did not know about the importance of GPG or just never looked into it. Just a few refuse to use GPG, leave that for now.
What about upstreams, like PAM, who stopped signing their releases? From a developer point of view, it makes sense to not have a GPG key because it implies an additional responsibility of keeping it safe. Therefore, I understand people who don't signed their src archives.
As additional support you can use the GPGit guides as well as the automated (same named) GPGit tool: https://github.com/NicoHood/gpgit It will help new users to understand GPG and provide them an easy to use tool to get started with GPG within a few minutes. Feedback for this is appreaciated.
I don't think it's needed. GPG is not complicated at all. The difficulty that prevents its widespread use lies with maintaining the key, and with that no guide can help...
I wish you all good luck, dont hesitate to contact me further if you have any great ideas regarding GPG etc.
Thanks, L. -- Leonid Isaev