[arch-general] Stronger Hashes for PKGBUILDs
eschwartz at archlinux.org
Wed May 9 03:38:01 UTC 2018
On 05/08/2018 10:08 PM, Leonid Isaev via arch-general wrote:
> I'm intentionally using the title from Nov/Dec 2016  to ease
> googling. I decided to check the status of this, and there is still 325
> packages with only md5sums in [core] and [extra] (I didn't check [community]).
> Below results are generated by the attached script... Is there anything I can
> do (like sending reports to the Flyspray) to help convert those PKGBUILD's to
> SHA hashes?
When you say "still", that implies that there was any sort of effort to
change that in the first place...
It will be closed as WONTFIX. That's a maintainer choice, and there are
differing opinions about whether stronger checksums are:
- not any sort of security check at all, they're there for CRC purposes,
and using strong CRC is security theater because the maintainer
probably just blindly ran updpkgsums without checking anything at all
so they generated very strong fake hashes -- come back when you have
PGP which is actually security
- actively dangerous as people think strong checksums equals security,
which makes them trust the sources even when they shouldn't; like
security theater except used as a justification for the other extreme
- better than nothing, and therefore very useful since it ensures that
you at least rebuilt the same thing the maintainer did
- very much security, because obviously the maintainer verifies sources
out of band, and checksums are their way of telling us what the
canonical sources are
FWIW I agree with point #3, but I estimate there's zero chance of
universal consensus, and would prefer not to see a failed crusade rile
people up. Again.
As extensively discussed in several mailing list and forum threads, the
best way to get security which everyone agrees on is to encourage
upstream developers to PGP-sign their sources. I've done quite a bit of
work on the existing TODO which we have for implementing better PGP
checks (and HTTPS for both privacy and TLS endpoint verification), in
addition to providing the patchset for makepkg (available in git
master and awaiting the 5.1 release) which allows verifying git(1)
This is honestly a much better use of everyone's time.
Bug Wrangler and Trusted User
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the arch-general