[aur-general] Support for remote sums in PKGBUILDs

Frederik "Freso" S. Olesen freso.dk at gmail.com
Tue Oct 22 03:53:23 EDT 2013

Den 22-10-2013 04:13, Doug Newgard skrev:
> It kind of defeats the purpose, though. If the server is hacked or someone does a MitM, they can easily replace the checksum file as well. 		 	   		

I never really thought much of the security of checksumming, basically 
exactly because they're relatively "easy" to forge (if you have access 
to where the files are, if you have access to the raw network stream, if 
you have access to the client machine). This goes for PKGBUILDs as well, 
for that matter. I agree that there is some measure of security inherent 
in checksumming, just not that it's significant. :)

I mostly regard checksums as a way to ensure that a download was not 
corrupted "in transit". This could be achieved by "remote checksums" as 
well as local ones you have to update all the time.

Frederik "Freso" S. Olesen <http://freso.dk/>

More information about the aur-general mailing list