[pacman-dev] [PATCH 0/2] Deprecate md5sums, show sha256sums as an example-by-default.

Mike Swanson mikeonthecomputer at gmail.com
Thu Feb 23 21:31:15 UTC 2017


Both the MD5 and SHA-1 hash functions have known collision attacks,
providing an attack vector for malicious hosts and MITMs to provide
tampered code without being detected by md5, or sha1, hashing.

We should move to sha256-by-default, and encourage their use by
changing the documentation and example files to follow suit.  The
SHA-2 family of hashes are currently secure against normal attacks
(even at the scale of having Facebook's or Google's datacenters).  Int
the future, pacman should gain SHA-3 support though, because SHA-2
itself has some theoretical preimage attacks and possible collision
attacks.

Mike Swanson (2):
  proto: Encourage the use of sha256sums by example.
  doc, makepkg.conf: Deprecate md5sums, show examples using sha256sums.

 doc/PKGBUILD-example.txt   |  4 ++--
 doc/PKGBUILD.5.txt         | 31 +++++++++++++++++++------------
 doc/makepkg-template.1.txt |  2 +-
 etc/makepkg.conf.in        |  2 +-
 proto/PKGBUILD-split.proto |  2 +-
 proto/PKGBUILD-vcs.proto   |  2 +-
 proto/PKGBUILD.proto       |  2 +-
 7 files changed, 26 insertions(+), 19 deletions(-)

-- 
2.11.1


More information about the pacman-dev mailing list