[pacman-dev] [PATCH] makepkg: Change the default integrity check to sha256.

Florian Bruhin me at the-compiler.org
Fri Jun 6 08:20:17 EDT 2014 

* Allan McRae <allan at archlinux.org> [2014-06-06 07:34:51 +1000]:
> On 06/06/14 05:39, me at the-compiler.org wrote:
> > From: Florian Bruhin <git at the-compiler.org>
> > 
> > There were a few bug reports related to this:
> >     https://bugs.archlinux.org/task/39210
> >     https://bugs.archlinux.org/task/38543
> >     https://bugs.archlinux.org/task/37215
> > 
> 
> And all those were rejected...

Note only the first of this reports is actually what this patch
changes. The other two propose *disallowing* md5sums entirely, which
IMHO is not a good idea.

The first one then was closed as a duplicate of one of the others,
even though disallowing md5sums and changing the defaults are two
completely different things.

Looking at the count of bug reports (plus some votes, even on the
reports proposing a more radical change), this is at least an issue
worth discussing.

> The default means that people are using "makepkg -g" to generate them,
> so is useless.

From the top of my head, I see three possible scenarios where a
data corruption can occur:

- On the server itself (wrong file but correct checksum hosted, etc.):

This is the only case where a checksum generated via makepkg -g
wouldn't help, and I'd guess this is the rarest scenario.

- During transmission to (or on the machine of) the maintainer.

While the mantainer initially won't know something is wrong, the users
will and will hopefully complain.

- During transmission to (or on the machine of) the user installing
the package.

I think this is the most common scenario. In this case, it doesn't
matter how the checksums were generated by the maintainer.

I do agree using upstream checksums is the best option if they are
provided, but sadly that's often not the case - but I disagree about
checksums being *useless* when they don't come from upstream directly.

> People should be using whatever upstream publishes (or better pgp
> signatures) to verify files.

Please also note there are PKGBUILDs where there's no upstream source
with a checksum (e.g. only VCS sources), and then some added files
(install/patches/...).

I did a quick grep against the aur git repo to find out what the
current distribution of checksums is, out of curiosity:

  41215 md5sums
   5641 sha256sums
   3230 sha1sums
   2587 sha512sums
     71 sha384sums

So it seems to me the reality is that makepkg -g is still widely used.

[offtopic]
I also found some constructs to automatically get a checksum file from
upstream via curl/wget - is this an encouraged thing to do?
Though this one probably isn't a good idea :D
md5sums=(`wget -qO- $source | md5sum | cut -c -32`)
[/offtopic]

No hurt feelings if this patch won't be accepted, but I think it'd be
beneficial to hear other thoughts on this.

Florian

-- 
http://www.the-compiler.org | me at the-compiler.org (Mail/XMPP)
             GPG 0xFD55A072 | http://the-compiler.org/pubkey.asc
         I love long mails! | http://email.is-not-s.ms/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/pacman-dev/attachments/20140606/fcd3b6f4/attachment.asc>

More information about the pacman-dev mailing list