On Thu, Jan 16, 2014 at 5:50 PM, Allan McRae <allan@archlinux.org> wrote:
On 17/01/14 08:41, Jason St. John wrote:
MD5 has been significantly compromised for years; switching to a more secure hash function, such as SHA-1, is long overdue.
Signed-off-by: Jason St. John <jstjohn@purdue.edu>
No. It is up to the packager to fill out the checksums with what is provided upstream. Because if upstream do not provide the checksums, they are pointless. Even better if upstream provides signatures.
Allan
There are still two benefits to changing the default checksum: 1) The AUR uses HTTPS by default, which ensures that the source tarball has not been tampered with in transit. Using a better hash function reduces the chances of an attacker man-in-the-middle'ing end-users when they download the sources from upstream, even over unsecure connections (e.g. unencrypted Wi-Fi, regular HTTP). 2) Most packagers just leave the default option simply because it's the default, and I would argue that it is rare for packagers, especially AUR maintainers, to use the same checksum algorithm as upstream. To be honest, I didn't know that the purpose of the checksum was so it could be compared to upstream; I assumed it was a security mechanism for point 1, above. Jason