On Mon, Jan 12, 2009 at 11:42 PM, Aaron Schaefer <aaron@elasticdog.com> wrote:
My point was that we absolutely SHOULD be using checksums, and preferably a checksum that has no known vulnerabilities at this time...that's all. Your response shows that you DO see the value in using checksums, but I'm not understanding your preference for md5 over sha256.
This makes sense in my opinion and the required work should be very low, simply changing the default in makepkg.conf, and waiting for the next pacman release with that other makepkg change (that might take some time though ;)). I think a big difference between archlinux packages and sources, is that packages are usually stored in the repos next to their checksums (only md5sum is supported there), while source checksums are stored in PKGBUILDs, not next to the sources. That means that when a package mirror is compromised, the checksums can be trivially updated, they are by no mean used for security here. But when a source mirror is compromised, the checksums in the PKGBUILDs normally remain the same, so they do have some security value here (in the situation where the PKGBUILD was created before the source mirror was compromised). Please correct me if I am wrong or totally offtopic :) Another thing to consider is that afaik, it is easy to find collisions on .tar files where padding is possible, but it might be much harder on tar.gz. And that md5sums are the shortest one so the best looking one in a PKGBUILD :) I thought that was the reason md5sums were still used everywhere.