[arch-general] Pointless to use non-md5 for makepkg INTEGRITY_CHECK

Jeff Mickey jeff at archlinux.org
Mon Jan 12 18:06:02 EST 2009


On Mon, Jan 12, 2009 at 17:42, Aaron Schaefer <aaron at elasticdog.com> wrote:
> My point was that we absolutely SHOULD be using checksums, and
> preferably a checksum that has no known vulnerabilities at this
> time...that's all. Your response shows that you DO see the value in
> using checksums, but I'm not understanding your preference for md5
> over sha256.

It's not a preference of md5 over sha256.  It's a lack of preference.
A lot of us don't think it's a huge deal, as you are downloading
source from some project's website (which could be faked, sure).. and
so unless they KNOW you are using archlinux, what your ip is, and have
taken the time to inject stuff that builds successfully with the
original PKGBUILD _and_ is malicious...  It's pretty far out there.
Not to mention I've put sha1 and md5 in a lot of my packages, and I
haven't heard of any attacks working against both algorithms to create
a buildable malicious executable.  And even if that wild and
unresearched assumption of using two hashes is wrong, it doesn't
matter.  Anyone who wanted to do real harm would look at the binary
packages we ship, skipping all the above effort.   And lucky for Arch,
there is work being done on package signing, and that's the concern we
all seem to agree on.

  //  jeff


More information about the arch-general mailing list