Am 07.12.2016 um 10:49 schrieb Allan McRae:
... I advocate keeping md5sum as the default because it is broken. If I see someone purely verifying their sources using md5sum in a PKGBUILD (and not pgp signature), I know that they have done nothing to actually verify the source themselves. ...
That is a very dangerous assumtion. I know for a fact that many maintainers used md5 for verification because it is the default. There are/were maintainers that downloaded the source, verified the pgp signature and generated the md5 checksum to include it in the PKGBUILD (without the pgp signature) md5 is associated with security even though it is broken. People who do not know they can use a different checksum, will assume the arch build system is just that crappy and md5sum it the only available validation. What you associate with md5 is not relevant. Am 07.12.2016 um 11:09 schrieb Allan McRae:
On 07/12/16 19:58, Gregory Mullen wrote:
But we don't care about that... we just want to feel warm and fuzzy with a false sense of security.
No one is suggesting sha*sum replace, and actual security/authentication check. Only that maybe it's not a good idea to use a system we all know is broken.
If everyone knows it is broken, upstream will not be providing md5sums to compare against and then and PKGBUILD maintainer that has verified the source files using upstream provided hashes will not use md5sum.
Again, very dangerous assumtion
All we do by changing away from md5sum as the default is hiding the large number of packages that do nothing to verify upstream source integrity.
In fact, I am making CRC the default.
I hope that is NOT sarcasm. No seriously thats what I had in mind from the start, making sure md5 is not taken as a security thing. Using a line like crc_checksum_NOTFORSECUREVERIFICATION!!! is an even better idea. If you want to know if the package source is verified, why not use the existance of https or pgp signatures in the build file? Do you think any default will keep maintainers from generating sha512 checksums without verifying the sources? A big fat warning about missing validation should automatically be generated in any package that misses signatures or at least https source downloads. And while we are at it I would like to point out that git downloads are used as verification as well and I'm not sure what a crypto expert would say about that.