[arch-general] Stronger Hashes for PKGBUILDs

sivmu sivmu at web.de
Wed Dec 7 22:51:10 UTC 2016


Am 07.12.2016 um 10:49 schrieb Allan McRae:
> ...
> I advocate keeping md5sum as the default because it is broken.  If I see
> someone purely verifying their sources using md5sum in a PKGBUILD (and
> not pgp signature), I know that they have done nothing to actually
> verify the source themselves.
> ...

That is a very dangerous assumtion. I know for a fact that many
maintainers used md5 for verification because it is the default.
There are/were maintainers that downloaded the source, verified the pgp
signature and generated the md5 checksum to include it in the PKGBUILD
(without the pgp signature)

md5 is associated with security even though it is broken. People who do
not know they can use a different checksum, will assume the arch build
system is just that crappy and md5sum it the only available validation.

What you associate with md5 is not relevant.


Am 07.12.2016 um 11:09 schrieb Allan McRae:
> On 07/12/16 19:58, Gregory Mullen wrote:
>>> But we don't care about that...  we just want to feel warm and fuzzy with
>> a false sense of security.
>>
>> No one is suggesting sha*sum replace, and actual security/authentication
>> check. Only that maybe it's not a good idea to use a system we all know is
>> broken.
>>
> 
> If everyone knows it is broken, upstream will not be providing md5sums
> to compare against and then and PKGBUILD maintainer that has verified
> the source files using upstream provided hashes will not use md5sum.
> 
Again, very dangerous assumtion

> All we do by changing away from md5sum as the default is hiding the
> large number of packages that do nothing to verify upstream source
> integrity.
> 
> In fact, I am making CRC the default.
> 

I hope that is NOT sarcasm.
No seriously thats what I had in mind from the start, making sure md5 is
not taken as a security thing.
Using a line like crc_checksum_NOTFORSECUREVERIFICATION!!! is an even
better idea.


If you want to know if the package source is verified, why not use the
existance of https or pgp signatures in the build file?

Do you think any default will keep maintainers from generating sha512
checksums without verifying the sources?

A big fat warning about missing validation should automatically be
generated in any package that misses signatures or at least https source
downloads.

And while we are at it I would like to point out that git downloads are
used as verification as well and I'm not sure what a crypto expert would
say about that.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161207/aa698c77/attachment.asc>


More information about the arch-general mailing list