[arch-general] Packages Verified with MD5

Taylor Hornby havoc at defuse.ca
Mon Jan 13 10:40:12 EST 2014

On 01/13/2014 02:49 AM, Rashif Ray Rahman wrote:
> On 13 January 2014 00:58, Taylor Hornby <havoc at defuse.ca> wrote:
>> > If so, this should be fixed as soon as possible. How feasible would it
>> > be? Could it be as simple as making a script that:
>> >
>> > 1. Finds the 'source' and 'md5sums' lines.
>> > 2. Downloads the packages and checks the md5sums.
>> > 3. Computes the SHA256sums, and adds them to the file.
>> >
>> > If there's anything I can do to help, let me know.
> Makepkg supports MD5 and the SHAs. A PKGBUILD can have multiple
> checksums, but it depends on the maintainer which of them they'd
> prefer to use. You can get them to deprecate the practice of using
> MD5-only PKGBUILDs.
> You're actually concerned about a part of the packaging process that
> requires human discretion. It is up to the packager to verify that the
> sources are good. They can proactively search for authentic checksums
> and signatures.

Yep, I misunderstood how it works. I thought the PKGBUILD was used on
users' systems when they run "pacman -S truecrypt", when in fact the
PKGBUILD is only used by the package maintainer to generate the binary
packages, which they then sign.

So it's not as bad as I thought, and moving to SHA256 doesn't fix the
problem. The only solution is to convince the software sources (Mozilla,
etc.) to sign the files they release.

Taylor Hornby

More information about the arch-general mailing list