On 05/08/2018 10:08 PM, Leonid Isaev via arch-general wrote: > Hi, > > I'm intentionally using the title from Nov/Dec 2016 [0] to ease > googling. I decided to check the status of this, and there is still 325 > packages with only md5sums in [core] and [extra] (I didn't check [community]). > Below results are generated by the attached script... Is there anything I can > do (like sending reports to the Flyspray) to help convert those PKGBUILD's to > SHA hashes? When you say "still", that implies that there was any sort of effort to change that in the first place... It will be closed as WONTFIX. That's a maintainer choice, and there are differing opinions about whether stronger checksums are: - not any sort of security check at all, they're there for CRC purposes, and using strong CRC is security theater because the maintainer probably just blindly ran updpkgsums without checking anything at all so they generated very strong fake hashes -- come back when you have PGP[1] which is actually security - actively dangerous as people think strong checksums equals security, which makes them trust the sources even when they shouldn't; like security theater except used as a justification for the other extreme - better than nothing, and therefore very useful since it ensures that you at least rebuilt the same thing the maintainer did - very much security, because obviously the maintainer verifies sources out of band, and checksums are their way of telling us what the canonical sources are FWIW I agree with point #3, but I estimate there's zero chance of universal consensus, and would prefer not to see a failed crusade rile people up. Again. As extensively discussed in several mailing list and forum threads, the best way to get security which everyone agrees on is to encourage upstream developers to PGP-sign their sources. I've done quite a bit of work on the existing TODO[1] which we have for implementing better PGP checks (and HTTPS for both privacy and TLS endpoint verification), in addition to providing the patchset[2] for makepkg (available in git master and awaiting the 5.1 release) which allows verifying git(1) signed commits/tags. This is honestly a much better use of everyone's time. [1] https://www.archlinux.org/todo/use-gpg-signatures-and-https-sources/ [2] https://git.archlinux.org/pacman.git/log/?id=37a89e2fac704babbe3badf0d9df0d41ec622f6f&showmsg=1 -- Eli Schwartz Bug Wrangler and Trusted User
Attachment:
signature.asc
Description: OpenPGP digital signature
