[pacman-dev] MD5/SHA* why?
Jason Chu
jason at archlinux.org
Thu Jul 5 17:06:09 EDT 2007
On Wed, Jul 04, 2007 at 11:46:49PM -0400, Dan McGee wrote:
> On 7/4/07, Andrew Fyfe <andrew at neptune-one.net> wrote:
> > Xavier wrote:
> > > Oh no, when reading the archives, I forgot to bookmark several
> > > important mails, took me a while to find this one back :
> > > http://www.archlinux.org/pipermail/pacman-dev/2006-October/006029.html
> > > So that's Judd opinion on that matter:
> > > "I never pretended that md5 was for anything security-related. If we
> > > were trying for security, we would've gone straight to signed
> > > packages. The md5sum was added to make sure downloaded files weren't
> > > corrupt.
> > >
> > > I don't see the point of SHA1 if we're still using it/them for download
> > > validation. If we want security, then we might as well do it right."
> > >
> > >
> > > As for my opinion on this, it's exactly the same as Andrew, it
> > > complicates the code for 0 benefit...
> >
> > I fully agree with Judd's comment, using MD5 or SHA1 for security is
> > plain stupid all we went a checksum for is a basic check that the
> > package we've downloaded isn't corrupt. What are the odds you could
> > download a corrupt package with the same checksum as the valid package?
> >
> > My preference would be to stick with 1 checksum (preferably MD5 as
> > that's what's mainly used in Arch at the moment), and remove the other
> > to simplify the code.... K.I.S.S.
>
> Patches welcome for this. If anyone wants to start looking into
> package signing as well, then more power to you.
>
> I also dislike the fact that we have 3 different files for the md5
> stuff- md5driver.c, md5.c, and md5.h. We should be able to move this
> code all into a C file and header, md5.c and md5.h, without
> difficulties. Make this a separate patch though.
I was the main person pushing for this and it was mostly for the malicious
downloads.
It's not the package downloading that I was worried about as much as the
source tarballs. We use md5sums to make sure that the tarball we
downloaded building the package is the same as the tarball that the
developer used when they built the package. If someone gets access to the
upstream's server, we're using the md5sum to trust files over time.
I had long discussions with Aaron about this. He still wasn't convinced
but added it because it didn't hurt. Eventually we decided that the best
bet was to store source packages on the arch servers, because then we could
trust those. That just hasn't happened yet.
Obviously there are way more people who think this is dumb than I do. I
wrote the original patch for this (makepkg only) during LinuxTag 2005 after
JGC mentioned that BSD uses two hashes. I thought their reasoning was
sound so I wanted to do it too.
Jason
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://archlinux.org/pipermail/pacman-dev/attachments/20070705/33cbef22/attachment.pgp>
More information about the pacman-dev
mailing list