[arch-general] Stronger Hashes for PKGBUILDs

fnodeuser subscription at binkmail.com
Fri Dec 16 01:35:37 UTC 2016 

hello eli,

you have misread and misunderstood a few things.

reread carefully all the messages about the subject,
and check the links in my second email.

i will write only about things that are not covered by the
previous messages.

>Sure they're the same. It is the same underlying technology

you have some studying to do about checksums and message digests.

>Um, what? `pacman -Syu` does, in fact, check that every package is
>signed by a Developer or Trusted User whose key is in archlinux-keyring.

what i said is that the users must check the integrity of the sources too.
it is not something that only the package maintainers must do.
the users must check the PKGBUILD files to compare message digests
and key fingerprints.

>sha256sums is plenty secure enough. So I assume the Firefox maintainer
>uses that mega-file to validate the download, then uses updpkgsums to
>update the current sha256sums rather than using copypasta on Firefox's
>SHA512SUMS file.

no. you will never use less secure than upstream. the best must be used
to future-proof also.

copypasta? no one said to copy-paste anything without verifying first.

>Arch Linux doesn't even have a gnupg1 package, if you want to blame
>someone for the absolute inability to validate that key on Arch Linux
>(independent of makepkg) blame the GnuPG developers for dropping support
>of insecure and tremendously outdated keys.

it does not matter. he will download it on his own to verify it,
and then he will add the sha512 message digest in the PKGBUILD file
to future-proof it.

>Assuming they care about being securely identified on IRC. Maybe they do
>connect securely when they care about proving their identity for a
>specific conversation where it matters.
>
>I will grant you that for common sense alone you might as well connect
>securely whenever possible as it doesn't cost anything. But equally, it
>doesn't cost anything to *not* do so.

"With great power comes great responsibility."
				-Uncle Ben

AL team members must be responsible with their power.
they must follow best security practices.

More information about the arch-general mailing list