[arch-general] Stronger Hashes for PKGBUILDs
sivmu
sivmu at web.de
Mon Dec 5 19:56:35 UTC 2016
Am 04.12.2016 um 05:37 schrieb Maxwell Anselm via arch-general:
>>
>> You mean the source files that you downloaded and then hashed...
>>
>
> Yes. If the source files are being modified via a MITM attack (which is
> trivial if the host uses HTTP) the checksum is still useful.
>
The checksum that was created by zou after downloading the compromised
source file.
I don't see how that is useful. The checksum will always be correct and
validate nothing
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161205/55dc90e7/attachment.asc>
More information about the arch-general
mailing list