[arch-general] Stronger Hashes for PKGBUILDs

NicoHood archlinux at nicohood.de
Mon Dec 26 12:35:23 UTC 2016 


On 12/26/2016 01:21 PM, Allan McRae wrote:
> On 26/12/16 22:12, NicoHood wrote:
>>
>>
>> On 12/16/2016 05:46 PM, Diego Viola via arch-general wrote:
>>> On Sat, Dec 3, 2016 at 3:27 AM, fnodeuser <subscription at binkmail.com> wrote:
>>>> https://lists.archlinux.org/pipermail/arch-dev-public/2016-November/028492.html
>>>>
>>>> i have a few things to add to this.
>>>>
>>>> the message digests at the download page for the .iso file, must change to sha256 and sha512 ones, or to a sha512 one.
>>>>
>>>> if an upstream does not sign the files, does not have https enabled, and/or refuses to take security and privacy seriously, sha512 must be used in the PKGBUILD files.
>>>>
>>>> in the cases of upstreams that use md5 and/or sha1 message digests, those will be added in a second ALGOsums= line under the sha512sums= line.  if they use md5 and sha1, then sha1sums must be used for the second ALGOsums= line.
>>>
>>> Once again I must say thanks, fnodeuser.
>>>
>>
>> Yesterday I wanted to install ArchLinux on someone else computer. He
>> used Windows until now and had no gpg handy yet (it is really annoying
>> to install on windows).
>>
>> So we needed to verify the source otherwise. But there was no real
>> option as md5/sha1 is broken and his internet is too slow to download it
>> again via torrent. We did not install Arch then and I will send him my
>> sha512sum from my computer the next days where I did a torrent download.
>>
>> The ArchLinux website connects via https. His mirror that he used did
>> not (http or ftp). So we had a real problem and there was no way to
>> verify the source properly. Adding sha256 and sha512 would not cause
>> more trouble but would be extremely helpful here.
>>
>> @Allan I think you are responsible for this if I am correct. Would you
>> please be so kind and add sha256 sums to the download page?
> 
> I have nothing to do with this.
> 
> Also, is there even a theoretical case where a joint md5 and sha1
> collision has occured?
> 

Oh sorry.

ArchLinux wants to KISS, so we should simply add stronger hashes instead
of requiring the user to download two tools. Its quite a struggle to
find a hash tool for windows anyways.

Also the website should state from which person the signature is and
which fingerprint it uses. I still could not find this information
(otherwise I'd contact this person).

Going to add a bugreport instead: https://bugs.archlinux.org/task/52273

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161226/17b94c86/attachment.asc>

More information about the arch-general mailing list