[arch-devops] Arch Linux ISO Checksums on archlinux.org

Christian Rebischke Chris.Rebischke at archlinux.org
Mon Feb 22 15:22:40 UTC 2016


Hello,
Linux Mint had a security breach [1] and was serving an infected ISO. I
think this would be a good moment for thinking about our Arch Linux
Download-page on [2]. I recommend to change the checksums. MD5 and SHA1 are
both broken.[3][4]

What do you think about using SHA256 ( or even better SHA512 ) for this?
Maybe we should also sign the ISO with a GPG-Key.

I don't mean that we should remove the MD5 checksum but we should add some
other checksum and sign the ISO. 

You can call me paranoid but I don't want too see such a security fail on
archlinux.org

Best regards,

Chris 

Arch Linux Security Team

[1] http://arstechnica.com/security/2016/02/linux-mint-hit-by-malware-infection-on-its-website-and-forum-after-hack-attack/
[2] https://www.archlinux.org/download/
[3] http://www.mathstat.dal.ca/~selinger/md5collision/
[4] https://www.schneier.com/blog/archives/2015/10/sha-1_freestart.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20160222/a33dcb54/attachment.asc>


More information about the arch-devops mailing list