[arch-general] Stronger Hashes for PKGBUILDs

Leonid Isaev leonid.isaev at jila.colorado.edu
Wed May 9 04:54:06 UTC 2018

On Wed, May 09, 2018 at 12:31:39AM -0400, Eli Schwartz via arch-general wrote:
> PGP keys are also far more likely to appear in multiple independently
> verifiable locations, you can embed them in your DNS records, post them
> on your blog, github profile, keybase.io proofs utilizing DNS as well as
> social media linkages, email footer (and signed email history) to
> establish a difficult-to-falsify history, or simply follow the PGP web
> of trust.

It is all true. But... if I care to only do "makepkg -g >> PKGBUILD", then I'm
unlikely to follow web of trust, and if I'm going to scout mailing lists for
email footers, I will also scout debian, gentoo, alpine and fedora repos for
different hashes. That was my only point, but we are mixing policy and
technical issues.

If hashes are supposed to mean that I'm building the same source as the
maintainer, then using only md5sums negate this because the source can be
silently swapped using existing libraries, and attackers don't even need to
know mathematics behind md5 collisions... I agree that using strong hashes
alone does not address security of source distribution, but neither does HTTPS
for instance. At least, with sha-2 hashes, point #3 of your previous email
makes sense.

Leonid Isaev

More information about the arch-general mailing list