[arch-devops] Arch Linux ISO Checksums on archlinux.org
Doug Newgard
scimmia at archlinux.info
Mon Feb 22 15:42:20 UTC 2016
On Mon, 22 Feb 2016 16:22:40 +0100
Christian Rebischke <Chris.Rebischke at archlinux.org> wrote:
> Hello,
> Linux Mint had a security breach [1] and was serving an infected ISO. I
> think this would be a good moment for thinking about our Arch Linux
> Download-page on [2]. I recommend to change the checksums. MD5 and SHA1 are
> both broken.[3][4]
>
> What do you think about using SHA256 ( or even better SHA512 ) for this?
> Maybe we should also sign the ISO with a GPG-Key.
It already is signed.
>
> I don't mean that we should remove the MD5 checksum but we should add some
> other checksum and sign the ISO.
>
> You can call me paranoid but I don't want too see such a security fail on
> archlinux.org
>
> Best regards,
>
> Chris
>
> Arch Linux Security Team
>
> [1] http://arstechnica.com/security/2016/02/linux-mint-hit-by-malware-infection-on-its-website-and-forum-after-hack-attack/
> [2] https://www.archlinux.org/download/
> [3] http://www.mathstat.dal.ca/~selinger/md5collision/
> [4] https://www.schneier.com/blog/archives/2015/10/sha-1_freestart.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20160222/f2a80e50/attachment.asc>
More information about the arch-devops
mailing list