[arch-general] Stronger Hashes for PKGBUILDs

Eli Schwartz eschwartz93 at gmail.com
Fri Dec 16 05:03:36 UTC 2016 

On 12/15/2016 08:35 PM, fnodeuser wrote:
> hello eli,
> 
> you have misread and misunderstood a few things.

No I haven't. But you've broken the response headers again in your
reply. Using temporary email addresses on the mailing list is incredibly
annoying; if you are that concerned about your privacy, you will be a
lot happier simply unplugging from the internet altogether.

It is kind of dishonest of you. ;) How do I know it is really you who
sent that? Which is kind of ironic, considering the topic of this thread.

/cc Allan, please blacklist this.

> reread carefully all the messages about the subject,
> and check the links in my second email.

I did. That's how I formed my initial conclusions.

> 
> i will write only about things that are not covered by the
> previous messages.
> 
>> Sure they're the same. It is the same underlying technology
> 
> you have some studying to do about checksums and message digests.

You have some studying to do about nitpicking over implementation
details. Especially because your own Wikipedia links agree with me,
although perhaps you just never read the article so you didn't realize.

But since you are determined to ignore common sense, I'll ask you a
question in response: If "checksums are not suitable for integrity
verification", why do you care? MD5, heck CRC, works just as well as
anything else for preventing data corruption, which apparently is all
you think they are good for.

>> Um, what? `pacman -Syu` does, in fact, check that every package is
>> signed by a Developer or Trusted User whose key is in archlinux-keyring.
> 
> what i said is that the users must check the integrity of the sources too.
> it is not something that only the package maintainers must do.
> the users must check the PKGBUILD files to compare message digests
> and key fingerprints.

You didn't say that. But now that you do say that, I can tell you that
you are wrong.
On no operating system, does anyone care about that. Only as a byproduct
of source-based operating systems, do some (a small minority of) people
even check that whether they care or not.

The maintainers are maintainers because we trust them to be honest. And
if they aren't honest, you are an absolute fool for thinking you can
check the source in order to catch malicous modifications in the
compiled binaries.

>> sha256sums is plenty secure enough. So I assume the Firefox maintainer
>> uses that mega-file to validate the download, then uses updpkgsums to
>> update the current sha256sums rather than using copypasta on Firefox's
>> SHA512SUMS file.
> 
> no. you will never use less secure than upstream. the best must be used
> to future-proof also.

Yes, I will use less secure than upstream. What matters is that the
Firefox maintainer has proven to himself that he isn't releasing
maliciously-modified source code artifacts into the repositories.

> copypasta? no one said to copy-paste anything without verifying first.

And, you completely missed my point.

>> Arch Linux doesn't even have a gnupg1 package, if you want to blame
>> someone for the absolute inability to validate that key on Arch Linux
>> (independent of makepkg) blame the GnuPG developers for dropping support
>> of insecure and tremendously outdated keys.
> 
> it does not matter. he will download it on his own to verify it,
> and then he will add the sha512 message digest in the PKGBUILD file
> to future-proof it.

But "he" hasn't verified anything. That is the whole point, that ancient
key format isn't secure and doesn't authenticate the message source.

Also, there is no way Arch maintainers will install an AUR package just
so they can read insecure keys to satisfy their curiosity about a package.

>> Assuming they care about being securely identified on IRC. Maybe they do
>> connect securely when they care about proving their identity for a
>> specific conversation where it matters.
>>
>> I will grant you that for common sense alone you might as well connect
>> securely whenever possible as it doesn't cost anything. But equally, it
>> doesn't cost anything to *not* do so.
> 
> "With great power comes great responsibility."
> 				-Uncle Ben
> 
> AL team members must be responsible with their power.
> they must follow best security practices.

All power corrupts. Absolute power corrupts absolutely.

So  if we are going with pop culture quotes, let's just be grateful the
Arch maintainers aren't abusing their positions even more than they
already are.

-- 
Eli Schwartz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161216/28926b95/attachment.asc>

More information about the arch-general mailing list