On 12/05/2016 11:45 PM, Eli Schwartz via arch-general wrote: > On 12/05/2016 05:25 PM, sivmu wrote: >> A LOT of packages do not use pgp validation even though upstream >> provides signatures. That is the real issue here. >> >> Let me say this again: everyone who is responsible for arch packages >> needs to be clearly advised to use all available methods to effectively >> verify upstream source files. >> >> Using a strong hash by default won't do that. > > AUR packages, or repo packages? There was a todo list[1] for the repos. > > For anything in the AUR you should definitely drop a comment on their > page. And change the wiki guidelines on packaging standards to mention this. > Yes we really should change the wiki. I once already did, but it got reverted. The argument about false security is somehow valid. People should not think that is replaces a GPG signature. However those people do not care at all, and if they'd use sha512 it can only have positive effects. It does not only (but especially) apply to AUR. But i also had to rebuild some official packages (because of several issues or modifications). And strong hashes would ensure I get the same sources as the maintainer used. So the real solution is to set strong hashes as default to help those who just dont know what is more important. But we also need to explain in which situations and why they are important (wiki). And furthermore people should be encouraged to ask upstream to sign their sources with gpg. I did this with a lot of sources already and I also try to explain it as simple as possible for them. The more people start using GPG, the more those who dont will understand the importance. And this would also solve the hash issue. I got really positive feedback so far and also questions about GPG. People do want to secure their stuff, but they dont know how or dont know how easy it is. Going further I personally will not move any package to [community] unless it provides GPG signatures (excluding arduino as I've already uploaded parts of it). Here is a tutorial how to setup gpg real quick and also a template to ask upstream for GPG signatures. Any contributions appreciated. https://github.com/NicoHood/NicoHood.github.io/wiki/How-to-sign-sources-with-GPG-in-under-5-minutes https://github.com/NicoHood/NicoHood.github.io/wiki/GPG-signatures-for-source-validation ~Nico
Attachment:
signature.asc
Description: OpenPGP digital signature