[arch-general] Stronger Hashes for PKGBUILDs

Leonid Isaev leonid.isaev at jila.colorado.edu
Fri Dec 9 23:30:15 UTC 2016


On Fri, Dec 09, 2016 at 03:15:34PM +0100, Bruno Pagani wrote:
> Le 08/12/2016 à 01:57, Leonid Isaev a écrit :
> 
> > On Thu, Dec 08, 2016 at 10:34:59AM +1000, Allan McRae wrote:
> >> On 08/12/16 08:51, sivmu wrote:
> >>> Am 07.12.2016 um 10:49 schrieb Allan McRae:
> >>>>> ...
> >>>>> I advocate keeping md5sum as the default because it is broken.  If I see
> >>>>> someone purely verifying their sources using md5sum in a PKGBUILD (and
> >>>>> not pgp signature), I know that they have done nothing to actually
> >>>>> verify the source themselves.
> >>>>> ...
> >>> That is a very dangerous assumtion. I know for a fact that many
> >>> maintainers used md5 for verification because it is the default.
> >>> There are/were maintainers that downloaded the source, verified the pgp
> >>> signature and generated the md5 checksum to include it in the PKGBUILD
> >>> (without the pgp signature)
> >> Idiots...  so again using md5sums as the default saves me from people
> >> who don't know how to package.
> > Actually, this might not be so crazy. Sometimes you get a signed sha*sums file
> > instead of signed source, so you don't include the key in validpgpkeys array.
> > For example, when building Firefox, I have to manually verify the sig on
> > SHA512SUMS and then paste the sha512sum into PKGBUILD. But this is because I'm
> > paranoid... I guess one can simply do makepkg -g, hmm.
> >
> > Hence the question, why have this flag at all? And should it be possible to
> > specify an external (signed) hash-file in PKGBUILD?
> >
> > Thx,
> > L.
> 
> What is wrong with adding the sha*sum file and its signature in the
> source array and then use validpgpkeys?

And then what?

-- 
Leonid Isaev


More information about the arch-general mailing list