[arch-devops] Arch Linux ISO Checksums on archlinux.org
scimmia at archlinux.info
Mon Feb 22 15:42:20 UTC 2016
On Mon, 22 Feb 2016 16:22:40 +0100
Christian Rebischke <Chris.Rebischke at archlinux.org> wrote:
> Linux Mint had a security breach  and was serving an infected ISO. I
> think this would be a good moment for thinking about our Arch Linux
> Download-page on . I recommend to change the checksums. MD5 and SHA1 are
> both broken.
> What do you think about using SHA256 ( or even better SHA512 ) for this?
> Maybe we should also sign the ISO with a GPG-Key.
It already is signed.
> I don't mean that we should remove the MD5 checksum but we should add some
> other checksum and sign the ISO.
> You can call me paranoid but I don't want too see such a security fail on
> Best regards,
> Arch Linux Security Team
>  http://arstechnica.com/security/2016/02/linux-mint-hit-by-malware-infection-on-its-website-and-forum-after-hack-attack/
>  https://www.archlinux.org/download/
>  http://www.mathstat.dal.ca/~selinger/md5collision/
>  https://www.schneier.com/blog/archives/2015/10/sha-1_freestart.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 473 bytes
Desc: OpenPGP digital signature
More information about the arch-devops