[pacman-dev] [PATCH] makepkg: Change the default integrity check to sha256.

me at the-compiler.org me at the-compiler.org
Thu Jun 5 15:39:45 EDT 2014


From: Florian Bruhin <git at the-compiler.org>

There were a few bug reports related to this:
    https://bugs.archlinux.org/task/39210
    https://bugs.archlinux.org/task/38543
    https://bugs.archlinux.org/task/37215

While disallowing md5sums entirely will break too much, the default should be
changed to sha256 for the following reasons:

- Using MD5 as default might motivate people to use MD5 for other purposes as
  well, which is usually a bad idea. Even if the change wouldn't have any
  effect on pacman itself, it has the benefit of stopping to encourage people
  to still use MD5.

- While not actually the main motivation for this change, there is the
  possibility of provoking a hash collision.

  This is however difficult due to some factors, like compression.

  As the integrity check isn't designed to be a cryptographic check in the
  first place, this point is less important.

sha256 was used over sha512 mainly to keep line length reasonable (under 80
chars).

The performance loss should be negligible and only applies to building
packages. On my machine, with an 1GB file (which is large compared to the
average source file), sha256sum takes 5.7 seconds, md5sum 1.9 seconds.

Signed-off-by: Florian Bruhin <git at the-compiler.org>
---
 etc/makepkg.conf.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/makepkg.conf.in b/etc/makepkg.conf.in
index 712ca60..19c430a 100644
--- a/etc/makepkg.conf.in
+++ b/etc/makepkg.conf.in
@@ -80,7 +80,7 @@ BUILDENV=(!distcc color !ccache check !sign)
 OPTIONS=(strip docs libtool staticlibs emptydirs zipman purge !upx !debug)
 
 #-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512
-INTEGRITY_CHECK=(md5)
+INTEGRITY_CHECK=(sha256)
 #-- Options to be used when stripping binaries. See `man strip' for details.
 STRIP_BINARIES="@STRIP_BINARIES@"
 #-- Options to be used when stripping shared libraries. See `man strip' for details.
-- 
2.0.0



More information about the pacman-dev mailing list