On Wed, Jul 04, 2007 at 11:46:49PM -0400, Dan McGee wrote:
On 7/4/07, Andrew Fyfe <andrew@neptune-one.net> wrote:
Xavier wrote:
Oh no, when reading the archives, I forgot to bookmark several important mails, took me a while to find this one back : http://www.archlinux.org/pipermail/pacman-dev/2006-October/006029.html So that's Judd opinion on that matter: "I never pretended that md5 was for anything security-related. If we were trying for security, we would've gone straight to signed packages. The md5sum was added to make sure downloaded files weren't corrupt.
I don't see the point of SHA1 if we're still using it/them for download validation. If we want security, then we might as well do it right."
As for my opinion on this, it's exactly the same as Andrew, it complicates the code for 0 benefit...
I fully agree with Judd's comment, using MD5 or SHA1 for security is plain stupid all we went a checksum for is a basic check that the package we've downloaded isn't corrupt. What are the odds you could download a corrupt package with the same checksum as the valid package?
My preference would be to stick with 1 checksum (preferably MD5 as that's what's mainly used in Arch at the moment), and remove the other to simplify the code.... K.I.S.S.
Patches welcome for this. If anyone wants to start looking into package signing as well, then more power to you.
I also dislike the fact that we have 3 different files for the md5 stuff- md5driver.c, md5.c, and md5.h. We should be able to move this code all into a C file and header, md5.c and md5.h, without difficulties. Make this a separate patch though.
I was the main person pushing for this and it was mostly for the malicious downloads. It's not the package downloading that I was worried about as much as the source tarballs. We use md5sums to make sure that the tarball we downloaded building the package is the same as the tarball that the developer used when they built the package. If someone gets access to the upstream's server, we're using the md5sum to trust files over time. I had long discussions with Aaron about this. He still wasn't convinced but added it because it didn't hurt. Eventually we decided that the best bet was to store source packages on the arch servers, because then we could trust those. That just hasn't happened yet. Obviously there are way more people who think this is dumb than I do. I wrote the original patch for this (makepkg only) during LinuxTag 2005 after JGC mentioned that BSD uses two hashes. I thought their reasoning was sound so I wanted to do it too. Jason