On 12/26/2016 01:21 PM, Allan McRae wrote:
On 26/12/16 22:12, NicoHood wrote:
On 12/16/2016 05:46 PM, Diego Viola via arch-general wrote:
On Sat, Dec 3, 2016 at 3:27 AM, fnodeuser <subscription@binkmail.com> wrote:
https://lists.archlinux.org/pipermail/arch-dev-public/2016-November/028492.h...
i have a few things to add to this.
the message digests at the download page for the .iso file, must change to sha256 and sha512 ones, or to a sha512 one.
if an upstream does not sign the files, does not have https enabled, and/or refuses to take security and privacy seriously, sha512 must be used in the PKGBUILD files.
in the cases of upstreams that use md5 and/or sha1 message digests, those will be added in a second ALGOsums= line under the sha512sums= line. if they use md5 and sha1, then sha1sums must be used for the second ALGOsums= line.
Once again I must say thanks, fnodeuser.
Yesterday I wanted to install ArchLinux on someone else computer. He used Windows until now and had no gpg handy yet (it is really annoying to install on windows).
So we needed to verify the source otherwise. But there was no real option as md5/sha1 is broken and his internet is too slow to download it again via torrent. We did not install Arch then and I will send him my sha512sum from my computer the next days where I did a torrent download.
The ArchLinux website connects via https. His mirror that he used did not (http or ftp). So we had a real problem and there was no way to verify the source properly. Adding sha256 and sha512 would not cause more trouble but would be extremely helpful here.
@Allan I think you are responsible for this if I am correct. Would you please be so kind and add sha256 sums to the download page?
I have nothing to do with this.
Also, is there even a theoretical case where a joint md5 and sha1 collision has occured?
Oh sorry. ArchLinux wants to KISS, so we should simply add stronger hashes instead of requiring the user to download two tools. Its quite a struggle to find a hash tool for windows anyways. Also the website should state from which person the signature is and which fingerprint it uses. I still could not find this information (otherwise I'd contact this person). Going to add a bugreport instead: https://bugs.archlinux.org/task/52273