On 05/10/2018 01:25 AM, Leonid Isaev via arch-general wrote:
On Wed, May 09, 2018 at 09:30:51PM +0200, Neven Sajko wrote:
I would just like to note that SHA-2 hashes are inferior to Keccak and to BLAKE2. So better not to spend effort migrating to SHA-2.
Strength of various SHA hashes is a different topic. My only point was that relying on md5 these days is like having no hashes at all or using the source filename as a hash...
And there should be no migration -- when a new version of a package is released or a rebuild happens, just update the *sums array.
Cheers,
Hello Leonid Isaev, I really like you effort on stronger hashes. I totally aggree with you that we need those, if we can't have GPG signatures by the maintainers. Hashes just help in less usecases than GPG signatures, of course, but they do. Unfortunately I made the experience, that this discussion is useless here and you rather start helping with GPG signatures for every package. If you want to put effort into this topic, which I really appreciate, please directly go for GPG signatures, otherway it will be just a frustrating discussion for you, sadly. What I can recommend to you for this is to write to upstream projects who don't use GPG signatures yet. Explain them why its important and help them to improve their software release security. I made the experience that quite a lot of projects did not know about the importance of GPG or just never looked into it. Just a few refuse to use GPG, leave that for now. As additional support you can use the GPGit guides as well as the automated (same named) GPGit tool: https://github.com/NicoHood/gpgit It will help new users to understand GPG and provide them an easy to use tool to get started with GPG within a few minutes. Feedback for this is appreaciated. I wish you all good luck, dont hesitate to contact me further if you have any great ideas regarding GPG etc. ~Nico