[pacman-dev] [PATCH] Change the default makepkg checksum from MD5 to SHA-1

Jason St. John jstjohn at purdue.edu
Thu Jan 16 18:56:44 EST 2014

On Thu, Jan 16, 2014 at 5:50 PM, Allan McRae <allan at archlinux.org> wrote:
> On 17/01/14 08:41, Jason St. John wrote:
>> MD5 has been significantly compromised for years; switching to a more
>> secure hash function, such as SHA-1, is long overdue.
>> Signed-off-by: Jason St. John <jstjohn at purdue.edu>
> No.  It is up to the packager to fill out the checksums with what is
> provided upstream.  Because if upstream do not provide the checksums,
> they are pointless.  Even better if upstream provides signatures.
> Allan

There are still two benefits to changing the default checksum:
1) The AUR uses HTTPS by default, which ensures that the source
tarball has not been tampered with in transit. Using a better hash
function reduces the chances of an attacker man-in-the-middle'ing
end-users when they download the sources from upstream, even over
unsecure connections (e.g. unencrypted Wi-Fi, regular HTTP).
2) Most packagers just leave the default option simply because it's
the default, and I would argue that it is rare for packagers,
especially AUR maintainers, to use the same checksum algorithm as
upstream. To be honest, I didn't know that the purpose of the checksum
was so it could be compared to upstream; I assumed it was a security
mechanism for point 1, above.


More information about the pacman-dev mailing list