[arch-general] Stronger Hashes for PKGBUILDs

Leonid Isaev leonid.isaev at jila.colorado.edu
Wed Dec 7 22:42:55 UTC 2016


On Wed, Dec 07, 2016 at 01:58:16AM -0800, Gregory Mullen wrote:
> > I advocate keeping md5sum as the default because it is broken.  If I see
> someone purely verifying their sources using md5sum in a PKGBUILD (and
> not pgp signature), I know that they have done nothing to actually
> verify the source themselves.
> 
> I advocate making the default house construction straw... Said the wolf to
> the three little pigs.
> 
> Advocating for MD5 as a "this package is insecure" warning flag makes NO
> sense at all. Especially when if the package is secure (because the
> maintainer verified the PGP sig, and then changed to shaXXX) you still no
> nothing new. But don't say; MD5 is good because I know it's broken, so I
> know the maintainer didn't do their job?
>
> Either validate the PGP keys, or don't. But don't suggest keeping a broken
> system because... why again? So you can learn nothing?

I think you misunderstood Allan. What he says is that by default makepkg
provides only a protection against broken http links at best. If a maintainer
wants security, he must take care of it explicitly. I don't see why this is a
bad idea...

Cheers,
L.

-- 
Leonid Isaev


More information about the arch-general mailing list