[pacman-dev] [PATCH 0/2] Deprecate md5sums, show sha256sums as an example-by-default.
kieran at kcolford.com
Thu Feb 23 22:04:51 UTC 2017
On Thu, 23 Feb 2017 at 16:31 Mike Swanson <mikeonthecomputer at gmail.com>
> Both the MD5 and SHA-1 hash functions have known collision attacks,
> providing an attack vector for malicious hosts and MITMs to provide
> tampered code without being detected by md5, or sha1, hashing.
> We should move to sha256-by-default, and encourage their use by
> changing the documentation and example files to follow suit. The
> SHA-2 family of hashes are currently secure against normal attacks
> (even at the scale of having Facebook's or Google's datacenters). Int
> the future, pacman should gain SHA-3 support though, because SHA-2
> itself has some theoretical preimage attacks and possible collision
points out that using sha512 is faster than sha256 so I'd rather not waste
my time calculating hashes without a good reason
> Mike Swanson (2):
> proto: Encourage the use of sha256sums by example.
> doc, makepkg.conf: Deprecate md5sums, show examples using sha256sums.
> doc/PKGBUILD-example.txt | 4 ++--
> doc/PKGBUILD.5.txt | 31 +++++++++++++++++++------------
> doc/makepkg-template.1.txt | 2 +-
> etc/makepkg.conf.in | 2 +-
> proto/PKGBUILD-split.proto | 2 +-
> proto/PKGBUILD-vcs.proto | 2 +-
> proto/PKGBUILD.proto | 2 +-
> 7 files changed, 26 insertions(+), 19 deletions(-)
Signed, Kieran Colford
More information about the pacman-dev