[pacman-dev] [PATCH] Change the default makepkg checksum from MD5 to SHA-1

Jason St. John jstjohn at purdue.edu
Thu Jan 16 17:41:30 EST 2014

MD5 has been significantly compromised for years; switching to a more
secure hash function, such as SHA-1, is long overdue.

Signed-off-by: Jason St. John <jstjohn at purdue.edu>
I was tempted to switch straight to SHA-256 because SHA-1 has had some
theoretical vulnerabilities for years; however, because there are effectively
no practical/feasible, real-world attacks on SHA-1, plus the much larger hash
size that users like to complain about, I figure that SHA-1 is good enough
for now.

 etc/makepkg.conf.in        | 2 +-
 proto/PKGBUILD-split.proto | 2 +-
 proto/PKGBUILD.proto       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/etc/makepkg.conf.in b/etc/makepkg.conf.in
index 43a6cf2..796aea7 100644
--- a/etc/makepkg.conf.in
+++ b/etc/makepkg.conf.in
@@ -81,7 +81,7 @@ BUILDENV=(fakeroot !distcc color !ccache check !sign)
 OPTIONS=(strip docs libtool staticlibs emptydirs zipman purge !upx !debug)
 #-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512
 #-- Options to be used when stripping binaries. See `man strip' for details.
 #-- Options to be used when stripping shared libraries. See `man strip' for details.
diff --git a/proto/PKGBUILD-split.proto b/proto/PKGBUILD-split.proto
index f1dd420..e8a3bf1 100644
--- a/proto/PKGBUILD-split.proto
+++ b/proto/PKGBUILD-split.proto
@@ -28,7 +28,7 @@ changelog=
-md5sums=() # generate with 'updpkgsums'
+sha1sums=() # generate with 'updpkgsums'
 prepare() {
 	cd "${pkgname}-${pkgver}"
diff --git a/proto/PKGBUILD.proto b/proto/PKGBUILD.proto
index 0eb1c20..de966cf 100644
--- a/proto/PKGBUILD.proto
+++ b/proto/PKGBUILD.proto
@@ -27,7 +27,7 @@ changelog=
-md5sums=() # generate with 'updpkgsums'
+sha1sums=() # generate with 'updpkgsums'
 prepare() {
 	cd "${pkgname}-${pkgver}"

More information about the pacman-dev mailing list