[arch-general] Severity of Failed checksum for PKGBUILD

[Florian Pelz]

On 02/20/2015 07:22 PM, Dolan Murvihill wrote:
> CAs can, and have, deliberately issued fraudulent certificates.
> TrustWave is the only one that has been discovered doing this ---
> and that, only because they came forward on their own years after
> the fact. The security community generally agrees that many, many
> of the less reputable CAs have done or are doing this. TrustWave
> is, by the way, still trusted.
> 
> In addition, there have been many, many fraudulent certificates
> issued by CAs that were not keeping their network secure. Such CAs
> rarely have their trust revoked in practice.
> 
> The bottom line is that the CA network is large and complex, and
> your browser trusts thousands of CAs all over the world, including
> some that are... erm... sketchy. You seem to have an awful lot of
> confidence, considering the size of that attack surface.
> 
> I'd be happy to continue this discussion, but we should split it
> into a separate topic.
> 
> -Dolan
> 

I underestimated how often that has happened. It seems I really should
not have as much trust in all certificate authorities.

So why is it recommended that Arch PKGBUILDs use SHA checksums rather
than MD5 if it rarely helps? Just because we can and it sometimes does
help?