[arch-general] Stronger Hashes for PKGBUILDs

NicoHood archlinux at nicohood.de
Thu May 10 08:06:08 UTC 2018

On 05/10/2018 01:25 AM, Leonid Isaev via arch-general wrote:
> On Wed, May 09, 2018 at 09:30:51PM +0200, Neven Sajko wrote:
>> I would just like to note that SHA-2 hashes are inferior to Keccak and
>> to BLAKE2. So better not to spend effort migrating to SHA-2.
> Strength of various SHA hashes is a different topic. My only point was that
> relying on md5 these days is like having no hashes at all or using the source
> filename as a hash...
> And there should be no migration -- when a new version of a package is released
> or a rebuild happens, just update the *sums array.
> Cheers,

Hello Leonid Isaev,
I really like you effort on stronger hashes. I totally aggree with you
that we need those, if we can't have GPG signatures by the maintainers.
Hashes just help in less usecases than GPG signatures, of course, but
they do.

Unfortunately I made the experience, that this discussion is useless
here and you rather start helping with GPG signatures for every package.
If you want to put effort into this topic, which I really appreciate,
please directly go for GPG signatures, otherway it will be just a
frustrating discussion for you, sadly.

What I can recommend to you for this is to write to upstream projects
who don't use GPG signatures yet. Explain them why its important and
help them to improve their software release security. I made the
experience that quite a lot of projects did not know about the
importance of GPG or just never looked into it. Just a few refuse to use
GPG, leave that for now.

As additional support you can use the GPGit guides as well as the
automated (same named) GPGit tool: https://github.com/NicoHood/gpgit
It will help new users to understand GPG and provide them an easy to use
tool to get started with GPG within a few minutes. Feedback for this is

I wish you all good luck, dont hesitate to contact me further if you
have any great ideas regarding GPG etc.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20180510/b1059f21/attachment.asc>

More information about the arch-general mailing list