[arch-general] Stronger Hashes for PKGBUILDs

NicoHood archlinux at nicohood.de
Sun Dec 4 21:44:54 UTC 2016 


On 12/03/2016 07:21 PM, sivmu wrote:
> 
> 
> Am 03.12.2016 um 06:27 schrieb fnodeuser:
> 
>>
>> if an upstream does not sign the files, does not have https enabled, and/or refuses to take security and privacy seriously, sha512 must be used in the PKGBUILD files.
> 
> But using and hash value without the possibility to verify the hashed
> files, adds no security. It provides a false sense of security instead.
> 
> I agree that we should use a strong hash by default where it makes
> sense. But in the absense ob effective validation of upstream packages,
> this is meaningless.
> 

It adds (possible) security for those who want to rebuild the package at
a later time or modify the PKGBUILD. It ensures they get the exact same
sources as the original publisher. This comes especially into place if
you live inside a country where you do not have much freedom online.

I also like the suggestion to also sign the ISO files with sha512sums.
It would not cause any trouble to add one more hash and a lot more
people will be happy. Great idea!

I also got a request from AUR:
https://aur.archlinux.org/packages/snap-sync/

Those suggestions should be written down somewhere. I agree with this,
as I also did a lot of things wrong and the PKGBUILD police (anthraxx)
corrected those for me. I think a simple checklist with examples would
be nice. This could contain:

* Use https whenever possible
* Use GPG whenever possible
* Ask upstream if they do not use https and gpg yet (with some templates
I made)
* Use strong hashes
* Add a note about the simple devtools chroot build and updpkgsums function
* Use unique sources (if you are building in the same source directory)
* Mask all variables with quotes
* Use .xz sources wherever possible (to speed up downloads on
instable/slow connections)
* Do not delete users on uninstall
* Use an underscore for user variables
* https://lists.archlinux.org/pipermail/aur-general/2016-October/032845.html

So what do you guys think if we make our implicit standards available
somewhere on the wiki. This would make it more transparent on how we
build stuff, how TUs should package and give a guideline for AUR
maintainers, as they might not know about some details like this.

~Nico

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161204/732ba0f7/attachment.asc>

More information about the arch-general mailing list