On Wed, May 09, 2018 at 12:31:39AM -0400, Eli Schwartz via arch-general wrote:
PGP keys are also far more likely to appear in multiple independently verifiable locations, you can embed them in your DNS records, post them on your blog, github profile, keybase.io proofs utilizing DNS as well as social media linkages, email footer (and signed email history) to establish a difficult-to-falsify history, or simply follow the PGP web of trust.
It is all true. But... if I care to only do "makepkg -g >> PKGBUILD", then I'm unlikely to follow web of trust, and if I'm going to scout mailing lists for email footers, I will also scout debian, gentoo, alpine and fedora repos for different hashes. That was my only point, but we are mixing policy and technical issues. If hashes are supposed to mean that I'm building the same source as the maintainer, then using only md5sums negate this because the source can be silently swapped using existing libraries, and attackers don't even need to know mathematics behind md5 collisions... I agree that using strong hashes alone does not address security of source distribution, but neither does HTTPS for instance. At least, with sha-2 hashes, point #3 of your previous email makes sense. Thanks, -- Leonid Isaev