[arch-general] Severity of Failed checksum for PKGBUILD

Florian Pelz pelzflorian at googlemail.com
Fri Feb 20 14:41:49 UTC 2015


Hi,

On 02/20/2015 03:22 PM, Daniel Micay wrote:
> On 20/02/15 09:03 AM, Mark Lee wrote:
>> I understand that the metadata changed which changed the checksum, but
>> that doesn't really change the question of what to do with source code
>> versioning systems that have changing checksums and the need to supply
>> source code for GPL projects.
> 
> Checksums aren't sources. Checksums aren't a proof that the package was
> built from those sources. Checksums also aren't a valuable security
> mechanism, unlike the support for GPG verification of sources. They're
> blindly updated on every release and clobbering release is common... so
> we've all learned to ignore checksum failures. I don't understand what
> this has to do with the GPL.
> 

Checksums proof that the sources you downloaded when running makepkg are
the same sources the author of the PKGBUILD used. This can be a valuable
security measure when those sources are not downloaded on a secure
connection (http instead of https and the like).

I'm not sure if downloads over the git:// protocol are actually
verified, because the transfer is definitely not secure. I do hope so.

Greetings,
Florian


More information about the arch-general mailing list