[arch-general] Stronger Hashes for PKGBUILDs
fnodeuser
subscription at binkmail.com
Sat Dec 3 05:27:12 UTC 2016
https://lists.archlinux.org/pipermail/arch-dev-public/2016-November/028492.html
i have a few things to add to this.
the message digests at the download page for the .iso file, must change to sha256 and sha512 ones, or to a sha512 one.
if an upstream does not sign the files, does not have https enabled, and/or refuses to take security and privacy seriously, sha512 must be used in the PKGBUILD files.
in the cases of upstreams that use md5 and/or sha1 message digests, those will be added in a second ALGOsums= line under the sha512sums= line. if they use md5 and sha1, then sha1sums must be used for the second ALGOsums= line.
More information about the arch-general
mailing list