[arch-general] Stronger Hashes for PKGBUILDs

Eli Schwartz eschwartz at archlinux.org
Wed May 9 03:38:01 UTC 2018 

On 05/08/2018 10:08 PM, Leonid Isaev via arch-general wrote:
> Hi,
> 
> 	I'm intentionally using the title from Nov/Dec 2016 [0] to ease
> googling. I decided to check the status of this, and there is still 325
> packages with only md5sums in [core] and [extra] (I didn't check [community]).
> Below results are generated by the attached script... Is there anything I can
> do (like sending reports to the Flyspray) to help convert those PKGBUILD's to
> SHA hashes? 

When you say "still", that implies that there was any sort of effort to
change that in the first place...

It will be closed as WONTFIX. That's a maintainer choice, and there are
differing opinions about whether stronger checksums are:

- not any sort of security check at all, they're there for CRC purposes,
  and using strong CRC is security theater because the maintainer
  probably just blindly ran updpkgsums without checking anything at all
  so they generated very strong fake hashes -- come back when you have
  PGP[1] which is actually security

- actively dangerous as people think strong checksums equals security,
  which makes them trust the sources even when they shouldn't; like
  security theater except used as a justification for the other extreme

- better than nothing, and therefore very useful since it ensures that
  you at least rebuilt the same thing the maintainer did

- very much security, because obviously the maintainer verifies sources
  out of band, and checksums are their way of telling us what the
  canonical sources are

FWIW I agree with point #3, but I estimate there's zero chance of
universal consensus, and would prefer not to see a failed crusade rile
people up. Again.

As extensively discussed in several mailing list and forum threads, the
best way to get security which everyone agrees on is to encourage
upstream developers to PGP-sign their sources. I've done quite a bit of
work on the existing TODO[1] which we have for implementing better PGP
checks (and HTTPS for both privacy and TLS endpoint verification), in
addition to providing the patchset[2] for makepkg (available in git
master and awaiting the 5.1 release) which allows verifying git(1)
signed commits/tags.

This is honestly a much better use of everyone's time.

[1] https://www.archlinux.org/todo/use-gpg-signatures-and-https-sources/
[2]
https://git.archlinux.org/pacman.git/log/?id=37a89e2fac704babbe3badf0d9df0d41ec622f6f&showmsg=1

-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20180508/67d80084/attachment.asc>

More information about the arch-general mailing list