[pacman-dev] [PATCH] Remove support for SHA1 from pacman.

[Aaron Griffin]

On 8/15/07, Dan McGee <dpmcgee at gmail.com> wrote:
> What I really want to hear are thoughts on this issue. We are using
> md5sums for two main reasons- verification of package downloads, and
> determining whether a backup file has changed. With this in mind, I
> think md5 is sufficient to serve our needs.
>
> Please chime in on this.

There is some history on this somewhere in these list archives.  I'll
summarize my views because I don't want to figure out what thread that
was.

a) The "md5 is insecure" argument doesn't hold water with archive
formats. Reproducing an md5sum with a malicious file requires that the
original file format supports null padding. All of the examples I've
seen used ps files as you can embed null padding to fluff the md5sum.
In our case, if you add some padding, it suddenly becomes a corrupt
archive. Corrupt archives are already checked for before extraction,
so if the md5sum matches AND it's corrupt, it's either a packager's
error, or malicious.
b) We are not using md5 for security. We are using it for integrity.
These are two totally different things. Instead of saying "I don't
trust you Mr Mirror", we're saying "I trust the DB file is correct,
did this download ok". See now there's a subtle problem with this
point. If we want to implicitly trust the DB files, then we need to
ensure where they come from. DB files on mirrors might not be
"trustable". /me shrugs

But my opinions is thus: md5 is faster than sha1, and we're just
ensuring that we downloaded the file exactly as the server told us to.
We are not guaranteeing that it is super-duper secure. If we wanted
that, we'd sign packages. I vote md5