[arch-general] Stronger Hashes for PKGBUILDs
Florian Pritz
bluewind at xinu.at
Mon Dec 26 12:59:29 UTC 2016
On 26.12.2016 13:12, NicoHood wrote:
> So we needed to verify the source otherwise. But there was no real
> option as md5/sha1 is broken
I fully agree that using stronger hashes is generally a good idea, but
please stop being ridiculous.
> and his internet is too slow to download it
> again via torrent.
If you put your file at the location where the torrent client downloads
the file to, it will detect this and check the existing file contents.
Also, you know that torrent also uses SHA1 hashes internally, right?
> The ArchLinux website connects via https. His mirror that he used did
> not (http or ftp).
https or not, the mirror admin has full control and can easily change
the files. Please stop being pedantic and look at the bigger picture.
Then you'd also see that it's much easier for an attacker to target our
website and change the hashes there than trying to find an
md5/sha1/filesize collision and then getting that file to you via
one/all of our mirrors without having access to our servers.
There are many trade offs and attack vectors when it comes to security.
Don't focus on a single one. You could have improved a lot with all the
dedication and time you put into these discussions if you worked on
other things with more impact.
Florian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 858 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161226/887fe73a/attachment.asc>
More information about the arch-general
mailing list