On 12/26/2016 01:21 PM, Allan McRae wrote: > On 26/12/16 22:12, NicoHood wrote: >> >> >> On 12/16/2016 05:46 PM, Diego Viola via arch-general wrote: >>> On Sat, Dec 3, 2016 at 3:27 AM, fnodeuser <subscription@xxxxxxxxxxxx> wrote: >>>> https://lists.archlinux.org/pipermail/arch-dev-public/2016-November/028492.html >>>> >>>> i have a few things to add to this. >>>> >>>> the message digests at the download page for the .iso file, must change to sha256 and sha512 ones, or to a sha512 one. >>>> >>>> if an upstream does not sign the files, does not have https enabled, and/or refuses to take security and privacy seriously, sha512 must be used in the PKGBUILD files. >>>> >>>> in the cases of upstreams that use md5 and/or sha1 message digests, those will be added in a second ALGOsums= line under the sha512sums= line. if they use md5 and sha1, then sha1sums must be used for the second ALGOsums= line. >>> >>> Once again I must say thanks, fnodeuser. >>> >> >> Yesterday I wanted to install ArchLinux on someone else computer. He >> used Windows until now and had no gpg handy yet (it is really annoying >> to install on windows). >> >> So we needed to verify the source otherwise. But there was no real >> option as md5/sha1 is broken and his internet is too slow to download it >> again via torrent. We did not install Arch then and I will send him my >> sha512sum from my computer the next days where I did a torrent download. >> >> The ArchLinux website connects via https. His mirror that he used did >> not (http or ftp). So we had a real problem and there was no way to >> verify the source properly. Adding sha256 and sha512 would not cause >> more trouble but would be extremely helpful here. >> >> @Allan I think you are responsible for this if I am correct. Would you >> please be so kind and add sha256 sums to the download page? > > I have nothing to do with this. > > Also, is there even a theoretical case where a joint md5 and sha1 > collision has occured? > Oh sorry. ArchLinux wants to KISS, so we should simply add stronger hashes instead of requiring the user to download two tools. Its quite a struggle to find a hash tool for windows anyways. Also the website should state from which person the signature is and which fingerprint it uses. I still could not find this information (otherwise I'd contact this person). Going to add a bugreport instead: https://bugs.archlinux.org/task/52273
Attachment:
signature.asc
Description: OpenPGP digital signature
