Re: Severity of Failed checksum for PKGBUILD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 20/02/15 10:04 AM, Martti Kühne wrote:
> On Fri, Feb 20, 2015 at 3:53 PM, Mark Lee <mark@xxxxxxxxxxxx> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Checksums aren't sources, they are a method of verifying the integrity
>> of sources. In other words, while different files can have the same
>> md5sum (hash collision), a failed checksum indicates something has
>> definitely changed in the package. Checksums can have false positives
>> but not false negatives.
>>
>> In other words, the provided source is definitely not the same as the
>> source the packager used (metadata difference in this case). If
>> checksums are as useless as you claim, why even offer them if they
>> cannot be reproduced for certain packages?
>>
>> Do packagers really just ignore checksums and "blindly update" on
>> every release?
>>
>> Regards,
>> Mark
> 
> 
> I get your point.
> Consider though, that Archlinux' comparably slim manpower cannot
> account for every time upstream does things to their source tarballs,
> usually in an unannounced manner. The concept is here, that ABS users
> need to figure out themselves whether *their* sources are retrafficked
> dns or the packager's. In so far as these things happen, they don't
> even have to do with archlinux that much (it's not very nice of an
> upstream to do that), so try not to bark up the wrong tree.
> 
> Cheers!
> mar77i

You should really just tell upstream to sign their releases, because it
wipes out the attack vector instead of just making it possible to audit
whether a MITM attack on the original. packager occurred like hashes.

The hashes provide no security for the initial packaging work and no
defense against an attack that's done by compromising the upstream
sources, which is far more realistic than a targeted MITM attack on a
specific Arch Linux packager.

Attachment: signature.asc
Description: OpenPGP digital signature


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux