[arch-general] Packages Verified with MD5

Taylor Hornby havoc at defuse.ca
Sun Jan 12 11:58:15 EST 2014


On 01/12/2014 02:58 AM, Rashif Ray Rahman wrote:
> On 12 January 2014 14:09, Taylor Hornby <havoc at defuse.ca> wrote:
>> Are there other packages still being verified with MD5? Can we fix them
>> too? I'll gladly donate my time if it's not something that can be automated.
> 
> Of the 4890 base packages shown by ABS, 2988 are MD5-only. That is
> 61%, or more than half.
> 

Wow, that's quite a lot.

Do I understand correctly that the hashes are relied on for security? In
other words, is it the package (containing the PKGBUILD) that's signed,
and once it's verified, it's the PKGBUILD's responsibility to check the
integrity of the files it needs?

If so, this should be fixed as soon as possible. How feasible would it
be? Could it be as simple as making a script that:

1. Finds the 'source' and 'md5sums' lines.
2. Downloads the packages and checks the md5sums.
3. Computes the SHA256sums, and adds them to the file.

If there's anything I can do to help, let me know.

-- 
Taylor Hornby


More information about the arch-general mailing list