[pacman-dev] [PATCH] Change the default makepkg checksum from MD5 to SHA-1

Allan McRae allan at archlinux.org
Thu Jan 16 19:04:01 EST 2014

On 17/01/14 09:56, Jason St. John wrote:
> On Thu, Jan 16, 2014 at 5:50 PM, Allan McRae <allan at archlinux.org> wrote:
>> On 17/01/14 08:41, Jason St. John wrote:
>>> MD5 has been significantly compromised for years; switching to a more
>>> secure hash function, such as SHA-1, is long overdue.
>>> Signed-off-by: Jason St. John <jstjohn at purdue.edu>
>> No.  It is up to the packager to fill out the checksums with what is
>> provided upstream.  Because if upstream do not provide the checksums,
>> they are pointless.  Even better if upstream provides signatures.
>> Allan
> There are still two benefits to changing the default checksum:
> 1) The AUR uses HTTPS by default, which ensures that the source
> tarball has not been tampered with in transit. Using a better hash
> function reduces the chances of an attacker man-in-the-middle'ing
> end-users when they download the sources from upstream, even over
> unsecure connections (e.g. unencrypted Wi-Fi, regular HTTP).
> 2) Most packagers just leave the default option simply because it's
> the default, and I would argue that it is rare for packagers,
> especially AUR maintainers, to use the same checksum algorithm as
> upstream. To be honest, I didn't know that the purpose of the checksum
> was so it could be compared to upstream; I assumed it was a security
> mechanism for point 1, above.

If packagers are just using the default, then it is unlikely they have
checked if upstream actually provided checksums and the relatively
useless anyway.


More information about the pacman-dev mailing list