[arch-general] Stronger Hashes for PKGBUILDs

Bruno Pagani bruno.pagani at ens-lyon.org
Fri Dec 9 14:15:34 UTC 2016


Le 08/12/2016 à 01:57, Leonid Isaev a écrit :

> On Thu, Dec 08, 2016 at 10:34:59AM +1000, Allan McRae wrote:
>> On 08/12/16 08:51, sivmu wrote:
>>> Am 07.12.2016 um 10:49 schrieb Allan McRae:
>>>>> ...
>>>>> I advocate keeping md5sum as the default because it is broken.  If I see
>>>>> someone purely verifying their sources using md5sum in a PKGBUILD (and
>>>>> not pgp signature), I know that they have done nothing to actually
>>>>> verify the source themselves.
>>>>> ...
>>> That is a very dangerous assumtion. I know for a fact that many
>>> maintainers used md5 for verification because it is the default.
>>> There are/were maintainers that downloaded the source, verified the pgp
>>> signature and generated the md5 checksum to include it in the PKGBUILD
>>> (without the pgp signature)
>> Idiots...  so again using md5sums as the default saves me from people
>> who don't know how to package.
> Actually, this might not be so crazy. Sometimes you get a signed sha*sums file
> instead of signed source, so you don't include the key in validpgpkeys array.
> For example, when building Firefox, I have to manually verify the sig on
> SHA512SUMS and then paste the sha512sum into PKGBUILD. But this is because I'm
> paranoid... I guess one can simply do makepkg -g, hmm.
>
> Hence the question, why have this flag at all? And should it be possible to
> specify an external (signed) hash-file in PKGBUILD?
>
> Thx,
> L.

What is wrong with adding the sha*sum file and its signature in the
source array and then use validpgpkeys?

Bruno

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 525 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161209/2eb78cb8/attachment.asc>


More information about the arch-general mailing list