[pacman-dev] md5sum's aren't used as cryptographic algorithm? (was: $ARCH suffix on packages)

Jason Chu jason at archlinux.org
Wed Oct 11 12:37:50 EDT 2006

On Wed, 11 Oct 2006 10:57:53 -0500
"Aaron Griffin" <aaronmgriffin at gmail.com> wrote:

> b) I don't feel that anything is gained from using sha1sums.  md5 is
> the defacto file integrity check.  We're not using md5 as a
> cryptographic algorithm, we're checking file integrity

I talked to Judd about this one.  I'd noticed it while at LinuxTag a
couple years back...

While, on the surface we use md5sums to check file integrity, during
building we use it to verify that two downloads (at different time
periods) are the same. In this situation, it's possible to craft a
malicious tarball that matches the md5sum but has a different payload.

JGC was the one who suggested we use md5sums and sha1sums together
because it's much more difficult to craft something malicious that
matches both of them.  I wrote a patch for makepkg a long time ago, but
Judd didn't accept it because sha1sums were a lot longer and looked
ugly in a PKGBUILD.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://archlinux.org/pipermail/pacman-dev/attachments/20061011/417b6359/attachment.pgp>

More information about the pacman-dev mailing list