[arch-general] Stronger Hashes for PKGBUILDs

Leonid Isaev leonid.isaev at jila.colorado.edu
Thu Dec 8 00:57:44 UTC 2016


On Thu, Dec 08, 2016 at 10:34:59AM +1000, Allan McRae wrote:
> On 08/12/16 08:51, sivmu wrote:
> > Am 07.12.2016 um 10:49 schrieb Allan McRae:
> >> > ...
> >> > I advocate keeping md5sum as the default because it is broken.  If I see
> >> > someone purely verifying their sources using md5sum in a PKGBUILD (and
> >> > not pgp signature), I know that they have done nothing to actually
> >> > verify the source themselves.
> >> > ...
> > That is a very dangerous assumtion. I know for a fact that many
> > maintainers used md5 for verification because it is the default.
> > There are/were maintainers that downloaded the source, verified the pgp
> > signature and generated the md5 checksum to include it in the PKGBUILD
> > (without the pgp signature)
> 
> Idiots...  so again using md5sums as the default saves me from people
> who don't know how to package.

Actually, this might not be so crazy. Sometimes you get a signed sha*sums file
instead of signed source, so you don't include the key in validpgpkeys array.
For example, when building Firefox, I have to manually verify the sig on
SHA512SUMS and then paste the sha512sum into PKGBUILD. But this is because I'm
paranoid... I guess one can simply do makepkg -g, hmm.

Hence the question, why have this flag at all? And should it be possible to
specify an external (signed) hash-file in PKGBUILD?

Thx,
L.
-- 
Leonid Isaev


More information about the arch-general mailing list