[pacman-dev] [PATCH] Replace MD5 with SHA-256 as a default file integrity check in PKGBUILDs

[Eli Schwartz]

On 1/23/20 8:32 AM, Giancarlo Razzolini wrote:
> Em janeiro 22, 2020 23:30 Eli Schwartz escreveu:
>> So ultimately that is what this discussion will always devolve to:
>>
>> - Do we want to ensure TOFU?
> 
> Yes.
> 
>> - Do we want to give PKGBUILDs the default black mark "uses md5sums
>>   because maintainer doesn't care about researching sources"?
>>
> 
> No. Encouraging best packaging practices can and should be done right
> from the start.
> 
> This discussion is pointless though. Let's continue to use md5sums until
> it's completely broken, then we can switch to something else.

Then I'm sure you'll be delighted to know that the last time this
discussion was brought up (a couple years ago?) Allan said he wanted to
add "cksum" support and switch to that for a default. Rationale: both
md5sum and cksum are already completely broken, but no one deludes
themselves when they see "cksum" into thinking that it is anything but
deliberate, and no one deludes themselves into thinking that there is
any possibility it is secure.

(The same thing is true of md5sum, both that its presence in makepkg is
deliberate, and that it's not even intended to be secure. The difference
is that with md5sum, people can lie to themselves about both.)

And, sure enough, someone brought up the discussion again, and, sure
enough, Allan has fulfilled on his promise with the patch submission
which is a response to this thread:

"makepkg: add CRC checksums and set these to be the default"

-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20200123/78335850/attachment.sig>