[arch-general] Stronger Hashes for PKGBUILDs

[NicoHood]

On 12/16/2016 05:46 PM, Diego Viola via arch-general wrote:
> On Sat, Dec 3, 2016 at 3:27 AM, fnodeuser <subscription at binkmail.com> wrote:
>> https://lists.archlinux.org/pipermail/arch-dev-public/2016-November/028492.html
>>
>> i have a few things to add to this.
>>
>> the message digests at the download page for the .iso file, must change to sha256 and sha512 ones, or to a sha512 one.
>>
>> if an upstream does not sign the files, does not have https enabled, and/or refuses to take security and privacy seriously, sha512 must be used in the PKGBUILD files.
>>
>> in the cases of upstreams that use md5 and/or sha1 message digests, those will be added in a second ALGOsums= line under the sha512sums= line.  if they use md5 and sha1, then sha1sums must be used for the second ALGOsums= line.
> 
> Once again I must say thanks, fnodeuser.
> 

Yesterday I wanted to install ArchLinux on someone else computer. He
used Windows until now and had no gpg handy yet (it is really annoying
to install on windows).

So we needed to verify the source otherwise. But there was no real
option as md5/sha1 is broken and his internet is too slow to download it
again via torrent. We did not install Arch then and I will send him my
sha512sum from my computer the next days where I did a torrent download.

The ArchLinux website connects via https. His mirror that he used did
not (http or ftp). So we had a real problem and there was no way to
verify the source properly. Adding sha256 and sha512 would not cause
more trouble but would be extremely helpful here.

@Allan I think you are responsible for this if I am correct. Would you
please be so kind and add sha256 sums to the download page?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161226/d55d8ccb/attachment.asc>