[arch-general] Stronger Hashes for PKGBUILDs

Leonid Isaev leonid.isaev at jila.colorado.edu
Thu May 10 09:46:34 UTC 2018

On Thu, May 10, 2018 at 10:06:08AM +0200, NicoHood wrote:
> I really like you effort on stronger hashes. I totally aggree with you
> that we need those, if we can't have GPG signatures by the maintainers.
> Hashes just help in less usecases than GPG signatures, of course, but
> they do.

Currently, about 55% of [core] and 31% of [extra] packages make use of
validpgpkeys. In [community] it should be even less. So, it is still a long way
to go while all PKGBUILDs use GPG-verified sources...

I agree with others that using a single sha256sum instead of md5sum offers
questionable security benefit, but at least it protects against future
tampering with the src by an attacker who knows about MD5 collisions.

> Unfortunately I made the experience, that this discussion is useless
> here and you rather start helping with GPG signatures for every package.
> If you want to put effort into this topic, which I really appreciate,
> please directly go for GPG signatures, otherway it will be just a
> frustrating discussion for you, sadly.

There are only about 13% of packages in both [core] and [extra] that use MD5 --
a relatively small percentage. Yes, replacing those with a stronger hash is a
stop-gap measure, but it involves no maintainance overhead.

When you brought up this point last December, I didn't know that it is possible
to have concurrent CRC and MD5 collisions (ar at least they are difficult to
find). But since then, I did some homework and it indeed seems quite easy these
days. Therefore, using MD5 is no better than having SKIP.

In this regard, I don't understand why we need checksums at all? If upstream:
(1) signes source with GPG, it will take care of both integrity and
    authenticity, so no need for hashes; 
(2) doesn't provide signatures, rely on gzip/bzip2/xz CRC. It is not
    cryptographically secure, but we don't need that anyway.
Hence, we can substantially simplify makepkg code...

> What I can recommend to you for this is to write to upstream projects
> who don't use GPG signatures yet. Explain them why its important and
> help them to improve their software release security. I made the
> experience that quite a lot of projects did not know about the
> importance of GPG or just never looked into it. Just a few refuse to use
> GPG, leave that for now.

What about upstreams, like PAM, who stopped signing their releases? From a
developer point of view, it makes sense to not have a GPG key because it
implies an additional responsibility of keeping it safe. Therefore, I
understand people who don't signed their src archives.

> As additional support you can use the GPGit guides as well as the
> automated (same named) GPGit tool: https://github.com/NicoHood/gpgit
> It will help new users to understand GPG and provide them an easy to use
> tool to get started with GPG within a few minutes. Feedback for this is
> appreaciated.

I don't think it's needed. GPG is not complicated at all. The difficulty that
prevents its widespread use lies with maintaining the key, and with that no
guide can help...

> I wish you all good luck, dont hesitate to contact me further if you
> have any great ideas regarding GPG etc.


Leonid Isaev

More information about the arch-general mailing list