[pacman-dev] MD5/SHA* why?

Dan McGee dpmcgee at gmail.com
Wed Jul 4 23:46:49 EDT 2007


On 7/4/07, Andrew Fyfe <andrew at neptune-one.net> wrote:
> Xavier wrote:
> > Oh no, when reading the archives, I forgot to bookmark several
> > important mails, took me a while to find this one back :
> > http://www.archlinux.org/pipermail/pacman-dev/2006-October/006029.html
> > So that's Judd opinion on that matter:
> > "I never pretended that md5 was for anything security-related.  If we
> > were trying for security, we would've gone straight to signed
> > packages.  The md5sum was added to make sure downloaded files weren't
> > corrupt.
> >
> > I don't see the point of SHA1 if we're still using it/them for download
> > validation.  If we want security, then we might as well do it right."
> >
> >
> > As for my opinion on this, it's exactly the same as Andrew, it
> > complicates the code for 0 benefit...
>
> I fully agree with Judd's comment, using MD5 or SHA1 for security is
> plain stupid all we went a checksum for is a basic check that the
> package we've downloaded isn't corrupt. What are the odds you could
> download a corrupt package with the same checksum as the valid package?
>
> My preference would be to stick with 1 checksum (preferably MD5 as
> that's what's mainly used in Arch at the moment), and remove the other
> to simplify the code.... K.I.S.S.

Patches welcome for this. If anyone wants to start looking into
package signing as well, then more power to you.

I also dislike the fact that we have 3 different files for the md5
stuff- md5driver.c, md5.c, and md5.h. We should be able to move this
code all into a C file and header, md5.c and md5.h, without
difficulties. Make this a separate patch though.

-Dan




More information about the pacman-dev mailing list