[pacman-dev] [PATCH 1/2] Note that checksums from "makepkg -g" are not ideal
Allan McRae
allan at archlinux.org
Thu Jan 23 02:18:30 UTC 2020
Generating checksums with "makepkg -g" only determines that the user of a
PKGBUILD has the same file as the packager (assuming no collision). This
means an upstream source could be maliciously changed and passed on as valid
by a PKGBUILD. To avoid this, it is essential that any checksums used in
a PKGBUILD are as provided by upstream.
Signed-off-by: Allan McRae <allan at archlinux.org>
---
doc/PKGBUILD.5.asciidoc | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/doc/PKGBUILD.5.asciidoc b/doc/PKGBUILD.5.asciidoc
index ef53c0ee..abe2ab52 100644
--- a/doc/PKGBUILD.5.asciidoc
+++ b/doc/PKGBUILD.5.asciidoc
@@ -152,7 +152,9 @@ contain whitespace characters.
file integrity during subsequent builds. If 'SKIP' is put in the array
in place of a normal hash, the integrity check for that source file will
be skipped. To easily generate md5sums, run ``makepkg -g >> PKGBUILD''.
- If desired, move the md5sums line to an appropriate location.
+ If desired, move the md5sums line to an appropriate location. Note that
+ checksums generated by "makepkg -g" provide little security benefit. All
+ checksum values should be as provided by the software developer.
*sha1sums, sha224sums, sha256sums, sha384sums, sha512sums, b2sums (arrays)*::
Alternative integrity checks that makepkg supports; these all behave
--
2.25.0
More information about the pacman-dev
mailing list