On 26/12/16 22:12, NicoHood wrote: > > > On 12/16/2016 05:46 PM, Diego Viola via arch-general wrote: >> On Sat, Dec 3, 2016 at 3:27 AM, fnodeuser <subscription@xxxxxxxxxxxx> wrote: >>> https://lists.archlinux.org/pipermail/arch-dev-public/2016-November/028492.html >>> >>> i have a few things to add to this. >>> >>> the message digests at the download page for the .iso file, must change to sha256 and sha512 ones, or to a sha512 one. >>> >>> if an upstream does not sign the files, does not have https enabled, and/or refuses to take security and privacy seriously, sha512 must be used in the PKGBUILD files. >>> >>> in the cases of upstreams that use md5 and/or sha1 message digests, those will be added in a second ALGOsums= line under the sha512sums= line. if they use md5 and sha1, then sha1sums must be used for the second ALGOsums= line. >> >> Once again I must say thanks, fnodeuser. >> > > Yesterday I wanted to install ArchLinux on someone else computer. He > used Windows until now and had no gpg handy yet (it is really annoying > to install on windows). > > So we needed to verify the source otherwise. But there was no real > option as md5/sha1 is broken and his internet is too slow to download it > again via torrent. We did not install Arch then and I will send him my > sha512sum from my computer the next days where I did a torrent download. > > The ArchLinux website connects via https. His mirror that he used did > not (http or ftp). So we had a real problem and there was no way to > verify the source properly. Adding sha256 and sha512 would not cause > more trouble but would be extremely helpful here. > > @Allan I think you are responsible for this if I am correct. Would you > please be so kind and add sha256 sums to the download page? I have nothing to do with this. Also, is there even a theoretical case where a joint md5 and sha1 collision has occured?
