[arch-general] Pointless to use non-md5 for makepkg INTEGRITY_CHECK

Xavier shiningxc at gmail.com
Mon Jan 12 18:06:07 EST 2009


On Mon, Jan 12, 2009 at 11:42 PM, Aaron Schaefer <aaron at elasticdog.com> wrote:
>
> My point was that we absolutely SHOULD be using checksums, and
> preferably a checksum that has no known vulnerabilities at this
> time...that's all. Your response shows that you DO see the value in
> using checksums, but I'm not understanding your preference for md5
> over sha256.
>

This makes sense in my opinion and the required work should be very
low, simply changing the default in makepkg.conf, and waiting for the
next pacman release with that other makepkg change (that might take
some time though ;)).

I think a big difference between archlinux packages and sources, is
that packages are usually stored in the repos next to their checksums
(only md5sum is supported there), while source checksums are stored in
PKGBUILDs, not next to the sources.
That means that when a package mirror is compromised, the checksums
can be trivially updated, they are by no mean used for security here.
But when a source mirror is compromised, the checksums in the
PKGBUILDs normally remain the same, so they do have some security
value here (in the situation where the PKGBUILD was created before the
source mirror was compromised).
Please correct me if I am wrong or totally offtopic :)

Another thing to consider is that afaik, it is easy to find collisions
on .tar files where padding is possible, but it might be much harder
on tar.gz. And that md5sums are the shortest one so the best looking
one in a PKGBUILD :) I thought that was the reason md5sums were still
used everywhere.


More information about the arch-general mailing list