[pacman-dev] [PATCH 0/2] Deprecate md5sums, show sha256sums as an example-by-default.

Eli Schwartz eschwartz93 at gmail.com
Thu Feb 23 21:58:42 UTC 2017

On 02/23/2017 04:31 PM, Mike Swanson wrote:
> Both the MD5 and SHA-1 hash functions have known collision attacks,
> providing an attack vector for malicious hosts and MITMs to provide
> tampered code without being detected by md5, or sha1, hashing.
> We should move to sha256-by-default, and encourage their use by
> changing the documentation and example files to follow suit.  The
> SHA-2 family of hashes are currently secure against normal attacks
> (even at the scale of having Facebook's or Google's datacenters).  Int
> the future, pacman should gain SHA-3 support though, because SHA-2
> itself has some theoretical preimage attacks and possible collision
> attacks.

I like the idea. ;)

But this has come up multiple times already, and Allan has strongly
resisted it.

From the thread "[arch-general] Stronger Hashes for PKGBUILDs" (Dec. 2016)
> I advocate keeping md5sum as the default because it is broken.  If I see
> someone purely verifying their sources using md5sum in a PKGBUILD (and
> not pgp signature), I know that they have done nothing to actually
> verify the source themselves.
> If sha2sums become default, I now know nothing.  Did the maintainer of
> the PKGBUILD get that checksum from a securely distributed source from
> upstream?  Had the source already been compromised upstream before the
> PKGBUILD was made?  Now I am securely verifying the unknown.
> But we don't care about that...  we just want to feel warm and fuzzy
> with a false sense of security.

Also, there was a thread in the forums somewhere...

Essentially, his arguments boil down to "strong checksums don't prove
anything except that the AUR maintainer bumped the pkgver and ran
`updpkgsums` to blindly insert unverified hashes into the PKGBUILD", and
therefore md5sums are perfectly okay for the one thing they are meant to
do, which is prove that the download wasn't corrupted in a freak
accident. He did imply he'd be okay replacing the whole *sums thing with
"crcsums", just to make things clearer for everyone. ;)

It is of course very true that anyone who *really* cares about the
security of a package, should lean on upstream to provide proper GPG
signatures for their release artifacts, as that will be immeasurably
more secure than any anonymous checksums no matter how strong, or how
much you trust the maintainer. :)


Good luck convincing Allan (you'll *need* it...).

Eli Schwartz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20170223/b1cc7a01/attachment.asc>

More information about the pacman-dev mailing list