On 12/03/2016 07:21 PM, sivmu wrote: > > > Am 03.12.2016 um 06:27 schrieb fnodeuser: > >> >> if an upstream does not sign the files, does not have https enabled, and/or refuses to take security and privacy seriously, sha512 must be used in the PKGBUILD files. > > But using and hash value without the possibility to verify the hashed > files, adds no security. It provides a false sense of security instead. > > I agree that we should use a strong hash by default where it makes > sense. But in the absense ob effective validation of upstream packages, > this is meaningless. > It adds (possible) security for those who want to rebuild the package at a later time or modify the PKGBUILD. It ensures they get the exact same sources as the original publisher. This comes especially into place if you live inside a country where you do not have much freedom online. I also like the suggestion to also sign the ISO files with sha512sums. It would not cause any trouble to add one more hash and a lot more people will be happy. Great idea! I also got a request from AUR: https://aur.archlinux.org/packages/snap-sync/ Those suggestions should be written down somewhere. I agree with this, as I also did a lot of things wrong and the PKGBUILD police (anthraxx) corrected those for me. I think a simple checklist with examples would be nice. This could contain: * Use https whenever possible * Use GPG whenever possible * Ask upstream if they do not use https and gpg yet (with some templates I made) * Use strong hashes * Add a note about the simple devtools chroot build and updpkgsums function * Use unique sources (if you are building in the same source directory) * Mask all variables with quotes * Use .xz sources wherever possible (to speed up downloads on instable/slow connections) * Do not delete users on uninstall * Use an underscore for user variables * https://lists.archlinux.org/pipermail/aur-general/2016-October/032845.html So what do you guys think if we make our implicit standards available somewhere on the wiki. This would make it more transparent on how we build stuff, how TUs should package and give a guideline for AUR maintainers, as they might not know about some details like this. ~Nico
Attachment:
signature.asc
Description: OpenPGP digital signature