[arch-general] Stronger Hashes for PKGBUILDs

Wed Dec 7 12:37:44 UTC 2016

On 12/07/2016 10:49 AM, Allan McRae wrote:
>
> I advocate keeping md5sum as the default because it is broken.  If I see
> someone purely verifying their sources using md5sum in a PKGBUILD (and
> not pgp signature), I know that they have done nothing to actually
> verify the source themselves.
>
> If sha2sums become default, I now know nothing.  Did the maintainer of
> the PKGBUILD get that checksum from a securely distributed source from
> upstream?  Had the source already been compromised upstream before the
> PKGBUILD was made?  Now I am securely verifying the unknown.
>
> But we don't care about that...  we just want to feel warm and fuzzy
> with a false sense of security.
>
> A
>

You are partly right. For a checksum CRC would be best. Fast and simple,
as its meant as checksum, not as a hash.

However if we drop the other hashes we loose the whole integrity for
those cases that people already explained[1]. We all aggree that md5 as
hash is broken. So possibly we should get our point of view into the
direction that those hashes are not checksums, but rather integrity checks.

Once again: This does not help in the very first place of downloading.
But it helps on AUR where multiple users download the files and would
get errors on wrong hashes (if the source got modified later or if a
MITM occured). In those cases users can compare against the hash of
others (maintainer) and at least verify that their source was the same
(integrity).

Also if you say that you can notice the people who do not care about
security by using md5 you can pass the buck to this guy. But this does
not solve anything. And on top there are still a LOT package on the
official repositories that still use md5/sha1. And I really do not
understand why, because those should be aware of the problem.

We should not make the problem worse by using CRC. We should carefully
understand when the integrity check helps. If if its not meant for
integrity, the wiki is wrong, as it calls it integrity not checksum.

There is no real valid argument about using lower security standards.
Even if people might misunderstand the meaning of the hashes, they do
not understand security at all. And those can still be helped with a
good explanation of those checks on the wiki with a link to the GPG
templates (see below).

[1]
https://lists.archlinux.org/pipermail/arch-general/2016-December/042737.html

On 12/07/2016 11:17 AM, Gregory Mullen wrote:
> If the argument left is, I don't want (better checksum) because it's
> shouldn't be thought of as a security check, and I want a security check.
>
> Why can't the requirement be PGP sig's are now required, and we drop the
> checksum completely?
>

That is also what I suggest. If we only move GPG signed Packages to
community, the whole situation will improve. A lot more upstream
projects will then possibly try to use GPG if they want to make it into
our (and possibly also other) distributions.

What we need here is more action from the maintainer side. I've linked
my templates for contacting upstream about using GPG. With those it
would be really easy for them to understand what we need, why and how to
accomplish it.

We already agreed that we need to use GPG whenever possible, but we
should also try to do our best to get upstream to do so. It is really
simple.

~Nico

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161207/98185906/attachment.asc>