[arch-general] Severity of Failed checksum for PKGBUILD

Mark Lee mark at markelee.com
Fri Feb 20 15:26:33 UTC 2015


On 02/20/2015 10:22 AM, Florian Pelz wrote:
> On 02/20/2015 03:59 PM, Daniel Micay wrote:
>> The vast majority of users make use of the binary packages and the 
>> checksums do absolutely nothing to secure the main attack vector
>> which is a compromise of the sources downloaded by the packager. It
>> is only relevant to the tiny minority of people building a package
>> with ABS.
>>
>> The more meaningful compromise needs to happen to the actual
>> package in the repositories. A compromise of the server hosting the
>> sources is the most likely way for this to happen. HTTPS can't do
>> anything to defend against it. HTTPS can only defend against a MITM
>> attack on a specific downstream packager.
>>
> 
> The difference is that if certain government organizations infiltrate
> the Arch servers or upstream, they break everyone's security. They may
> be less likely to do that compared to breaking just yours.
> 
>> There is support for validating sources with GPG signatures, which
>> is a complete solution to this issue. If you care, then file issues
>> for any packages that aren't using the upstream signatures yet, and
>> complain to upstream if they aren't signing the releases.
>>
> 
> This certainly is the right way to go, but I don't think enough
> upstream projects care to make it a viable option for personal
> computers today. PKGBUILD checksums provide less security, but they do
> provide some.
> 
>> On 20/02/15 09:41 AM, Florian Pelz wrote:
>>> I'm not sure if downloads over the git:// protocol are actually 
>>> verified, because the transfer is definitely not secure. I do
>>> hope so.
>>
>> Git's read-only protocol is not authenticated. It supports SSH and
>> HTTPS which do have two different forms of authentication, both of
>> which are very flawed. Signed tags make a lot more sense, and you
>> shouldn't be using code from development branches if you care a lot
>> about robustness and security, since
>>
> 
> It is not authenticated, but I care about checksums. (Authentication
> would be even better because it ensures others don't know what
> software I am running -- but that is too much to ask.) I don't see why
> SSH and HTTPS are flawed, other than a distrust in certificate
> authorities.
> 
> I still hope that git:// downloads use checksums. I'm not sure.
> 
> Greetings,
> Florian
> 

Well it seems the issue has been solved with mpv-0.8.0-2.

However, the issue still stands regarding checksums. Perhaps packages
with metadata changes should just not include checksums? Or, they could
just link to the sources.archlinux.org in those cases with checksums.

In addition, I was thinking more along the lines of coercion.

Regards,
Mark


More information about the arch-general mailing list