[arch-general] Stronger Hashes for PKGBUILDs

NicoHood archlinux at nicohood.de
Tue Dec 6 21:41:16 UTC 2016



On 12/05/2016 11:45 PM, Eli Schwartz via arch-general wrote:
> On 12/05/2016 05:25 PM, sivmu wrote:
>> A LOT of packages do not use pgp validation even though upstream
>> provides signatures. That is the real issue here.
>>
>> Let me say this again: everyone who is responsible for arch packages
>> needs to be clearly advised to use all available methods to effectively
>> verify upstream source files.
>>
>> Using a strong hash by default won't do that.
> 
> AUR packages, or repo packages? There was a todo list[1] for the repos.
> 
> For anything in the AUR you should definitely drop a comment on their
> page. And change the wiki guidelines on packaging standards to mention this.
> 

Yes we really should change the wiki. I once already did, but it got
reverted.

The argument about false security is somehow valid. People should not
think that is replaces a GPG signature. However those people do not care
at all, and if they'd use sha512 it can only have positive effects.

It does not only (but especially) apply to AUR. But i also had to
rebuild some official packages (because of several issues or
modifications). And strong hashes would ensure I get the same sources as
the maintainer used.

So the real solution is to set strong hashes as default to help those
who just dont know what is more important. But we also need to explain
in which situations and why they are important (wiki).

And furthermore people should be encouraged to ask upstream to sign
their sources with gpg. I did this with a lot of sources already and I
also try to explain it as simple as possible for them. The more people
start using GPG, the more those who dont will understand the importance.
And this would also solve the hash issue.

I got really positive feedback so far and also questions about GPG.
People do want to secure their stuff, but they dont know how or dont
know how easy it is.

Going further I personally will not move any package to [community]
unless it provides GPG signatures (excluding arduino as I've already
uploaded parts of it).

Here is a tutorial how to setup gpg real quick and also a template to
ask upstream for GPG signatures. Any contributions appreciated.
https://github.com/NicoHood/NicoHood.github.io/wiki/How-to-sign-sources-with-GPG-in-under-5-minutes
https://github.com/NicoHood/NicoHood.github.io/wiki/GPG-signatures-for-source-validation

~Nico

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161206/41908f15/attachment.asc>


More information about the arch-general mailing list