[aur-general] Support for remote sums in PKGBUILDs
Frederik "Freso" S. Olesen
freso.dk at gmail.com
Tue Oct 22 03:53:23 EDT 2013
Den 22-10-2013 04:13, Doug Newgard skrev:
> It kind of defeats the purpose, though. If the server is hacked or someone does a MitM, they can easily replace the checksum file as well.
I never really thought much of the security of checksumming, basically
exactly because they're relatively "easy" to forge (if you have access
to where the files are, if you have access to the raw network stream, if
you have access to the client machine). This goes for PKGBUILDs as well,
for that matter. I agree that there is some measure of security inherent
in checksumming, just not that it's significant. :)
I mostly regard checksums as a way to ensure that a download was not
corrupted "in transit". This could be achieved by "remote checksums" as
well as local ones you have to update all the time.
--
Frederik "Freso" S. Olesen <http://freso.dk/>
More information about the aur-general
mailing list