On 02/23/2017 04:31 PM, Mike Swanson wrote:
Both the MD5 and SHA-1 hash functions have known collision attacks, providing an attack vector for malicious hosts and MITMs to provide tampered code without being detected by md5, or sha1, hashing.
We should move to sha256-by-default, and encourage their use by changing the documentation and example files to follow suit. The SHA-2 family of hashes are currently secure against normal attacks (even at the scale of having Facebook's or Google's datacenters). Int the future, pacman should gain SHA-3 support though, because SHA-2 itself has some theoretical preimage attacks and possible collision attacks.
I like the idea. ;) But this has come up multiple times already, and Allan has strongly resisted it. From the thread "[arch-general] Stronger Hashes for PKGBUILDs" (Dec. 2016)
I advocate keeping md5sum as the default because it is broken. If I see someone purely verifying their sources using md5sum in a PKGBUILD (and not pgp signature), I know that they have done nothing to actually verify the source themselves.
If sha2sums become default, I now know nothing. Did the maintainer of the PKGBUILD get that checksum from a securely distributed source from upstream? Had the source already been compromised upstream before the PKGBUILD was made? Now I am securely verifying the unknown.
But we don't care about that... we just want to feel warm and fuzzy with a false sense of security.
Also, there was a thread in the forums somewhere... Essentially, his arguments boil down to "strong checksums don't prove anything except that the AUR maintainer bumped the pkgver and ran `updpkgsums` to blindly insert unverified hashes into the PKGBUILD", and therefore md5sums are perfectly okay for the one thing they are meant to do, which is prove that the download wasn't corrupted in a freak accident. He did imply he'd be okay replacing the whole *sums thing with "crcsums", just to make things clearer for everyone. ;) It is of course very true that anyone who *really* cares about the security of a package, should lean on upstream to provide proper GPG signatures for their release artifacts, as that will be immeasurably more secure than any anonymous checksums no matter how strong, or how much you trust the maintainer. :) ... Good luck convincing Allan (you'll *need* it...). -- Eli Schwartz