[pacman-dev] [PATCH 0/2] Deprecate md5sums, show sha256sums as an example-by-default.

Eli Schwartz eschwartz93 at gmail.com
Fri Feb 24 18:13:33 UTC 2017

On 02/24/2017 10:41 AM, Kieran Colford wrote:
> I agree that PGP everywhere is absolutely something to push for. On 
> the other hand, not every developer is in the web of trust strong 
> set

Which is why if you pedantically worship the web of trust strong set,
PGP is kind of useless altogether, since you can never really trust it
in practice. Or use TOFU.

> and if you're downloading the package sources from Github then
> that's probably where you got the PGP key id from as well.

Or from any of the dozen other places you can find the developer's key.
Particularly, their independent website (which is not GitHub).
The fact that some users are stupid, is not an indictment against PGP.

> An attacker who can highjack your TLS secured source download when 
> you bump the package version could also have fed you a forged PGP key
> id when you first made the package. Upgrading to stronger checksums
> is only marginally less secure than using PGP.

What? The fingerprint is in the PKGBUILD which is downloaded via HTTPS
from a second website which requires either breaking the HTTPS security
model or violating multiple (presumably) secure channels, and is also
easily cross-verified against multiple independent sources.

PGP operates on a completely different conceptual landscape than
checksums, and is *always*, no matter what, more "secure" than
checksums. Once again, the existence of stupid users is not an
indictment against PGP, and the fact that in cherry-picked situations
PGP fails to live up to its end-user promise, is not an indictment either.

PGP tells us a lot of things. It tells us the source is authorized by
the same person who authorized multiple previous releases. It tells us
the source is the one the AUR maintainer used. It tells us that someone
who can be *absolutely* identified is the same person who did X and said
X, on various mailing lists, websites, and partial PGP trust models. It
tells us that we are still getting our sources from the same person we
got them from last week/month/year.

The fact that its mere existence is not a magic talisman saying
everything is wonderful, fine and safe... is not news, and is not a
problem either, since no one ever said that is what it was supposed to do.

The sky is not falling.

Eli Schwartz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20170224/dfa54641/attachment-0001.asc>

More information about the pacman-dev mailing list