[arch-general] Stronger Hashes for PKGBUILDs
David C. Rankin
drankinatty at suddenlinkmail.com
Wed Dec 7 03:37:51 UTC 2016
On 12/03/2016 10:37 PM, Maxwell Anselm via arch-general wrote:
>> You mean the source files that you downloaded and then hashed...
>>
> Yes. If the source files are being modified via a MITM attack (which is
> trivial if the host uses HTTP) the checksum is still useful.
This sounds a lot like a "solution in search of a problem to fix" and blindly
applying any "fix" where it is proveably meaningless really causes credibility
(not to mention the Arch KISS philosophy) to take a beating.
I'm all for validation and stronger hashes, but applying them in a
circumstance where there is no way to validate against any original -- is just
bat-shit crazy.
--
David C. Rankin, J.D.,P.E.
More information about the arch-general
mailing list