[arch-general] Stronger Hashes for PKGBUILDs

NicoHood archlinux at nicohood.de
Fri Dec 16 11:28:06 UTC 2016 

On 12/16/2016 09:59 AM, Levente Polyak wrote:
> On 12/16/2016 06:03 AM, Eli Schwartz via arch-general wrote:
>> On 12/15/2016 08:35 PM, fnodeuser wrote:
>>> what i said is that the users must check the integrity of the sources too.
>>> it is not something that only the package maintainers must do.
>>> the users must check the PKGBUILD files to compare message digests
>>> and key fingerprints.
>>
>> You didn't say that. But now that you do say that, I can tell you that
>> you are wrong.
>> On no operating system, does anyone care about that. Only as a byproduct
>> of source-based operating systems, do some (a small minority of) people
>> even check that whether they care or not.
>>
>> The maintainers are maintainers because we trust them to be honest. And
>> if they aren't honest, you are an absolute fool for thinking you can
>> check the source in order to catch malicous modifications in the
>> compiled binaries.
> 
> I agree, there is no point why users _must_ check the integrity of
> sources too. Essentially that's what a maintainer should do and you need
> to trust a maintainer to some degree anyway. That doesn't mean nobody
> should, if a particular group of users wants to, they can. But it is
> certainly nothing users _must_ do.
> In the AUR, it's of cause a bit different as you have much less trust in
> an arbitrary maintainer and want to take a look at the PKGBUILD itself
> and also figure out if that's really the right upstream.
> 

And for those who want to check the sources, strong hashes are
important. We are talking about integrity, not checksums. It was
intended as checksum, fine. But the integrity ability of those hashes is
ALSO highly important, not only the checksum ability. People can check
all sources, not only the final (reproduceable) build.

We all understood that it would not help the risk of downloading
malicious sources in first place (TOFU). But it would help in the other
(already multiple times described) scenarios. And that is what we are
talking about. We are not talking about checksums. And it would not hurt
in any way to make sha512 the default, **we can only benefit from that.**

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161216/81f0646f/attachment.asc>

More information about the arch-general mailing list