[pacman-dev] [PATCH] Change the default makepkg checksum from MD5 to SHA-1

Allan McRae allan at archlinux.org
Thu Jan 16 19:04:01 EST 2014


On 17/01/14 09:56, Jason St. John wrote:
> On Thu, Jan 16, 2014 at 5:50 PM, Allan McRae <allan at archlinux.org> wrote:
>> On 17/01/14 08:41, Jason St. John wrote:
>>> MD5 has been significantly compromised for years; switching to a more
>>> secure hash function, such as SHA-1, is long overdue.
>>>
>>> Signed-off-by: Jason St. John <jstjohn at purdue.edu>
>>
>> No.  It is up to the packager to fill out the checksums with what is
>> provided upstream.  Because if upstream do not provide the checksums,
>> they are pointless.  Even better if upstream provides signatures.
>>
>> Allan
>>
>>
> 
> There are still two benefits to changing the default checksum:
> 1) The AUR uses HTTPS by default, which ensures that the source
> tarball has not been tampered with in transit. Using a better hash
> function reduces the chances of an attacker man-in-the-middle'ing
> end-users when they download the sources from upstream, even over
> unsecure connections (e.g. unencrypted Wi-Fi, regular HTTP).
> 2) Most packagers just leave the default option simply because it's
> the default, and I would argue that it is rare for packagers,
> especially AUR maintainers, to use the same checksum algorithm as
> upstream. To be honest, I didn't know that the purpose of the checksum
> was so it could be compared to upstream; I assumed it was a security
> mechanism for point 1, above.
> 

If packagers are just using the default, then it is unlikely they have
checked if upstream actually provided checksums and the relatively
useless anyway.

Allan




More information about the pacman-dev mailing list