[arch-general] Stronger Hashes for PKGBUILDs

Eli Schwartz eschwartz93 at gmail.com
Mon Dec 5 20:50:39 UTC 2016 

On 12/05/2016 02:56 PM, sivmu wrote:
> Am 04.12.2016 um 05:37 schrieb Maxwell Anselm via arch-general:
>>> You mean the source files that you downloaded and then hashed...
>>
>> Yes. If the source files are being modified via a MITM attack (which is
>> trivial if the host uses HTTP) the checksum is still useful.
> 
> The checksum that was created by zou after downloading the compromised
> source file.
> 
> I don't see how that is useful. The checksum will always be correct and
> validate nothing
> 

Possibilities

1) MITM attack between end-user and internet. PKGBUILD is downloaded
over HTTPS, but source files are downloaded over HTTP. MITM attack
cannot manipulate the PKGBUILD, but can fake the sources.

AUR maintainer was probably not under the same MITM. ;)

2) Source website hacked. AUR maintainer blindly generates checksums
from the compromised source, nothing else matters because everyone is
screwed.

3) Source website hacked, after the AUR maintainer generates checksums
from the original uncompromised source.

...

In cases #1 & #3 (and #3 is only by accident) stronger checksums *will*
help.
Those are also the cases where it is more likely the maintainer is
security-conscious and checks the sources before generating the
manually-upgraded-to-sha256-or-higher checksums.

...

Context is everything. I am sure many people who read this thread are
not aware of the following forum thread in which the matter was
extensively discussed: https://bbs.archlinux.org/viewtopic.php?id=217588

Allan has already declared that he will not change the default
makepkg.conf, on the grounds that #2 is the most likely scenario for
people getting malicious packages.
He also wants everyone to know that updpkgsums and makepkg are perfectly
okay with maintainers changing the defaults, people who don't know there
are defaults to change are probably not your best bet security-wise, and
the only real security is either PGP or strong checksums posted by
upstream on a second website.
Also, that changing the defaults will encourage a false sense of
security when people think that checksums have any validity in
authentication.

Personally, I want the defaults changed because of #1 & #3, but it
doesn't seem that will happen *as a matter of principle* so I guess
everyone can continue bikeshedding here. Or in arch-dev-public. (Though
having a TU take up the fight is indeed somewhat more useful than random
users, so who knows?)

-- 
Eli Schwartz

More information about the arch-general mailing list