[arch-general] Packages Verified with MD5

Taylor Hornby havoc at defuse.ca
Mon Jan 13 10:40:12 EST 2014


On 01/13/2014 02:49 AM, Rashif Ray Rahman wrote:
> On 13 January 2014 00:58, Taylor Hornby <havoc at defuse.ca> wrote:
>> > If so, this should be fixed as soon as possible. How feasible would it
>> > be? Could it be as simple as making a script that:
>> >
>> > 1. Finds the 'source' and 'md5sums' lines.
>> > 2. Downloads the packages and checks the md5sums.
>> > 3. Computes the SHA256sums, and adds them to the file.
>> >
>> > If there's anything I can do to help, let me know.
> Makepkg supports MD5 and the SHAs. A PKGBUILD can have multiple
> checksums, but it depends on the maintainer which of them they'd
> prefer to use. You can get them to deprecate the practice of using
> MD5-only PKGBUILDs.
> 
> You're actually concerned about a part of the packaging process that
> requires human discretion. It is up to the packager to verify that the
> sources are good. They can proactively search for authentic checksums
> and signatures.

Yep, I misunderstood how it works. I thought the PKGBUILD was used on
users' systems when they run "pacman -S truecrypt", when in fact the
PKGBUILD is only used by the package maintainer to generate the binary
packages, which they then sign.

So it's not as bad as I thought, and moving to SHA256 doesn't fix the
problem. The only solution is to convince the software sources (Mozilla,
etc.) to sign the files they release.

-- 
Taylor Hornby


More information about the arch-general mailing list