[arch-general] Severity of Failed checksum for PKGBUILD
Daniel Micay
danielmicay at gmail.com
Fri Feb 20 14:39:18 UTC 2015
On 20/02/15 09:03 AM, Mark Lee wrote:
>
>> No... the integrity check not matching is not because an
>> out-of-tree source tree was used. The checksums are certainly not
>> there to improve security, that's what GPG signatures are for.
>
>
> The checksums are there for integrity. The GPG signatures only confirm
> the packager built the package. My question is if a packager's
> PKGBUILD fails a checksum and the license is GPL, how does the
> packager fullfill their requirement to provide the source code? How
> does the packager prove that the source was used to build the
> binaries, especially when there are hash collisions in md5? The
> packager seems to offset the source code necessities by grabbing the
> source from upstream, but the checksums don't match...
>
> I understand that the metadata changed which changed the checksum, but
> that doesn't really change the question of what to do with source code
> versioning systems that have changing checksums and the need to supply
> source code for GPL projects.
>
> Regards,
> Mark
This is Arch's way of complying with the GPL:
https://sources.archlinux.org/
It should really be generated by devtools instead of on the server,
sure, but either way it "proves" nothing. The packager can trivially
build the package with different sources... if you don't trust us, then
you have bigger problems and nothing short of examining the compiled
code is going to prove anything. This is why people care about
deterministic, reproducible builds:
https://wiki.debian.org/ReproducibleBuilds
It makes it possibly to audit binary builds sanely.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20150220/402feee1/attachment.asc>
More information about the arch-general
mailing list