[aur-general] TU Application: Baptiste Jonglez

Giancarlo Razzolini grazzolini at archlinux.org
Fri Dec 2 14:16:39 UTC 2016


Em dezembro 2, 2016 11:18 NicoHood escreveu:
> 
> The signature itself is only a signed hash (sha256). So we do rely on
> the collision resistance of sha256[1] (or whatever the GPG itself uses).
> You are right, that hashes themselves are not enough to verify that the
> original author provided this source. But it gives you the guarantee
> that you downloaded the same source, as the maintainer(PKGBUILD writer) did.
>

GPG uses DSA[0]. And the signatures done using GPG are done in a way that
requires a key pair on the part of the person doing the signature. The
link you sent demonstrate precisely that. They are much more than simple
hashes.

> That is what integrity is all about, that is not only a checksum! The
> weakest spot though is the initial fetching of the source on which the
> maintainer relies on. However with strong hashes you can at least ensure
> that you (for a rebuild) download the exact same sources, as the
> maintainer did. You just cannot prove who published that source itself.
> Saying sha256 is not secure enough for that purpose would also say GPG
> is not safe.
>

I'm not saying that sha256 is not secure enough for that purpose. I'm saying
that for *maintainers* it is not enough. There's a difference, it's subtle,
but it is there nevertheless. We replace upstream trust with our own. So we
must be sure that we're packaging from the right upstream source, even if
said source can't be obtained securely, nor does it has proper hashes or not
even TLS.

> Correct me if I am wrong though. I'd be also nice to discuss this in the
> email I recently opened and not in the TU Application. I think this is a
> highly important topic, especially for those packages where we do not
> have gpg and https available and you can only rely on the hash that the
> maintainer gave out (AUR).
>

Sure, lets discuss that. But I think we already, even if informally, agreed
that using TLS were available is better than not. I'll stop deviating from
the purpose of the TU application discussion. Baptiste, you fixed what we
suggested, and that's ok by me.

Cheers,
Giancarlo Razzolini

[0] https://www.gnupg.org/gph/en/manual.html#AEN216
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 870 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20161202/b973733d/attachment.asc>


More information about the aur-general mailing list