[arch-dev-public] Stronger Hashes for PKGBUILDs

NicoHood archlinux at nicohood.de
Tue Nov 29 16:02:07 UTC 2016


It has been discussed and suggested from a lot of different people[1]
that we should use stronger hashes inside our PKGBUILDs. Since we now
must check for and use https and GPG when that is possible[2], we should
also consider making the switch to stronger hashes.

Server cracks and MitM attacks could lead to the fetching of tampered
source files that are used for package building. This can be dangerous
when older packages must be rebuilt automatically or are modified. Using
a weak hash function's message digests for verification could lead to
the use of tampered source files without us noticing that. Especially
when https and GPG cannot be used, it is a must to use strong hashes for
verifying the integrity of the sources.

**The usage of weak hash function algorithms (md5 and sha1) must be
avoided.** sha512 must become the default. If upstream uses message
digests of weak hash function algorithms, the message digests of those
can also be included in the PKGBUILD files, and those message digests
should be seen as an additional check. Stronger hashes have **no
disadvantages, they can only improve security**.

We should also change the default value of INTEGRITY_CHECK in
/etc/makepkg.conf to use sha512 by default, as suggested multiple times
on the bugtracker[1]. The wiki[3] needs to be changed accordingly to our
new GPG, https and hash guidelines.

We as ArchLinux Distribution should try to provide our Users the best
security of our packages as well as the PKGBUILDs. Thanks for all your
support!


[1] Depreciate md5 and sha1
https://lists.archlinux.org/pipermail/arch-general/2009-January/003215.html
https://bugs.archlinux.org/task/51236
https://bugs.archlinux.org/task/39210
https://bugs.archlinux.org/task/38543
https://bugs.archlinux.org/task/12772

[2] https and GPG
https://lists.archlinux.org/pipermail/arch-dev-public/2016-October/028416.html
https://www.archlinux.org/todo/use-gpg-signatures-and-https-sources/

[3] https://wiki.archlinux.org/index.php/PKGBUILD#Integrity

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20161129/f41797f1/attachment.asc>


More information about the arch-dev-public mailing list