[arch-general] Stronger Hashes for PKGBUILDs

Eli Schwartz eschwartz at archlinux.org
Wed May 9 04:31:39 UTC 2018

On 05/08/2018 11:53 PM, Leonid Isaev via arch-general wrote:
>> - not any sort of security check at all, they're there for CRC purposes,
>>   and using strong CRC is security theater because the maintainer
>>   probably just blindly ran updpkgsums without checking anything at all
>>   so they generated very strong fake hashes -- come back when you have
>>   PGP[1] which is actually security
> In this case, even using gpg keys won't guarantee security because verifying a
> key via a side channel is not much easier than the hash.

I'm not sure what you mean. PGP is by its very nature very secure, you
establish an ongoing relationship with the key holder and can verify
many, many objects, like the entire release history instead of
independently bootstrapping the TOFU (Trust On First Use) model with
every new release.

PGP keys are also far more likely to appear in multiple independently
verifiable locations, you can embed them in your DNS records, post them
on your blog, github profile, keybase.io proofs utilizing DNS as well as
social media linkages, email footer (and signed email history) to
establish a difficult-to-falsify history, or simply follow the PGP web
of trust.

Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20180509/7e06ecd9/attachment.asc>

More information about the arch-general mailing list