[arch-general] [arch-dev-public] todo list for moving http -> https sources
Patrick Burroughs (Celti)
celti at celti.name
Mon Oct 31 15:03:55 UTC 2016
On Mon, 31 Oct 2016 15:19:40 +0100
NicoHood <arch-dev at nicohood.de> wrote:
> Using PGP signatures is another discussion, also the hash algorithm. I
> think we should discuss that in another post, appart from https. From
> my point of view its highly important to use a strong hash function
> as its highly important for the source integrity and not only meant
> as checksum for corruption detection. And as always: more secure does
> not hurt nowadays
Not a dev, here, but... I strongly think that source integrity should
not rely on hash functions alone. makepkg already includes validation of
PGP-signed sources, but it's perhaps not reasonable to expect every
upstream to offer signed sources.
As a middle ground, I think it would be more reasonable (or at least,
less unreasonable) to modify makepkg to allow signing PKGBUILDs, or at
least parts of them. For an existing example, OpenBSD's signify(1) uses
their cryptographic signature system to sign a simple list sha256sums.
Perhaps makepkg could include, e.g., a sha256sumsigs array, that
contains a PGP signature (signed by the developer/TU's official key)
of the contents (properly serialised by makepkg so there's a minimum
of possible ambiguity) of the sha256sums array?
~Celti
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161031/d1e3755f/attachment.asc>
More information about the arch-general
mailing list