[arch-general] Stronger Hashes for PKGBUILDs
fnodeuser
subscription at binkmail.com
Thu Dec 8 17:20:44 UTC 2016
checksums and message digests are not the same thing.[1]
checksums are not suitable for integrity verification, and the best (meaning, at the time of writing and for the foreseeable future, most secure),
currently supported cryptographic hash function algorithm (that is sha512 in AL's case), must be used to compute the message digests of the files.
message digests are one of the things that we can and must use for security. not all upstreams have https enabled and not all of them sign their files
with gpg.
it was because of me that the 'Use gpg signatures and https sources' task was added to the todo list.[2][3][4]
these things must be checked by the users also, not only by the package maintainers. i check everything, most of you check nothing. you just do 'pacman
-Syu'.
let us start with firefox's PKGBUILD file for the first example. you are using sha256mds instead of sha512mds. you can see at
https://ftp.mozilla.org/pub/firefox/releases/50.0.2/, that there are 3 files, KEY, SHA512SUMS, and SHA512SUMS.asc. that is one example where you are
using a smaller digest size than upstream, that cannot be verified with the signature. another example is nmap's PKGBUILD file. you continued to use
sha1mds instead of sha512mds.[5]
in Gentoo they use 3 mds and in Debian they use 2 mds (for all packages, regardless of what upstreams do or do not do (in Debian's case they sign the
files containing the mds)).[6][7]
there are a few package maintainers who insist on using and/or are still using only a part of the commit or tag hash. the whole commit or tag hash must
be used, always.
the refusal to future-proof.[8] i talked with the lsof upstream. he told me that he has retired, that he is old, and that he might stop maintaining it.
it is unlikely that he will create a new keypair any time soon and he might never do that.
another bad thing that many AL team members do, is connecting to irc servers without using tls and certificate verification.
that is all for now.
_
[1] https://en.wikipedia.org/wiki/Checksum, https://en.wikipedia.org/wiki/Cryptographic_hash_function
[2] https://bugs.archlinux.org/task/51579
[3] https://lists.archlinux.org/pipermail/arch-dev-public/2016-October/028416.html
[4] https://bugs.archlinux.org/index.php?opened=23845&status[]=, https://bugs.archlinux.org/index.php?opened=23412&status[]=, and
https://bugs.archlinux.org/index.php?opened=23101&status[]=
[5] https://nmap.org/dist/sigs/nmap-7.31.tar.bz2.digest.txt
[6] https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/firefox/Manifest
[7] https://ftp.acc.umu.se/debian/pool/main/f/firefox/firefox_50.0.2-1.dsc
[8] https://bugs.archlinux.org/task/50482
More information about the arch-general
mailing list