On Mon, Jan 12, 2009 at 17:42, Aaron Schaefer <aaron@elasticdog.com> wrote:
My point was that we absolutely SHOULD be using checksums, and preferably a checksum that has no known vulnerabilities at this time...that's all. Your response shows that you DO see the value in using checksums, but I'm not understanding your preference for md5 over sha256.
It's not a preference of md5 over sha256. It's a lack of preference. A lot of us don't think it's a huge deal, as you are downloading source from some project's website (which could be faked, sure).. and so unless they KNOW you are using archlinux, what your ip is, and have taken the time to inject stuff that builds successfully with the original PKGBUILD _and_ is malicious... It's pretty far out there. Not to mention I've put sha1 and md5 in a lot of my packages, and I haven't heard of any attacks working against both algorithms to create a buildable malicious executable. And even if that wild and unresearched assumption of using two hashes is wrong, it doesn't matter. Anyone who wanted to do real harm would look at the binary packages we ship, skipping all the above effort. And lucky for Arch, there is work being done on package signing, and that's the concern we all seem to agree on. // jeff