[arch-general] Pointless to use non-md5 for makepkg INTEGRITY_CHECK

[Aaron Schaefer]

On Mon, Jan 12, 2009 at 6:06 PM, Jeff Mickey <jeff at archlinux.org> wrote:
> It's pretty far out there.
> Not to mention I've put sha1 and md5 in a lot of my packages, and I
> haven't heard of any attacks working against both algorithms to create
> a buildable malicious executable.  And even if that wild and
> unresearched assumption of using two hashes is wrong, it doesn't
> matter.  Anyone who wanted to do real harm would look at the binary
> packages we ship, skipping all the above effort.

I don't think it's that far out there...md5 has been known to be
vulnerable since 2005 (theorized long before that), and it is possible
to create completely different files with the same hash:

  http://www.mscs.dal.ca/~selinger/md5collision/

SHA-1 is also broken (also for a while now:
http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html),
but you're right, using them both does give you some protection. The
problem is (which was the point of my original email), unless the
users have both checksum types set in their makepkg.conf file, then
the verification process of makepkg will show a warning even if both
of the checksums are valid. That has been fixed, and I'm merely
pointing out that it would be painless to move to a currently secure
hash going forward.

Like you said, since source is not downloaded directly from us
(meaning we can't control it), being as protected as possible on our
side of things will help if any one of our upstream providers does
happen to get hacked. That's why I think you should care. It's true
that some day we might have to move to Skein or whatever algorithm
NIST decides will be the new SHA-3 standard, but that's just the way
things are.

--
Aaron "ElasticDog" Schaefer