[Slackbuilds-users] Retire MD5 for SHA256

B Watson yalhcru at gmail.com
Fri Aug 10 07:24:47 UTC 2018


On 8/10/18, David O'Shaughnessy <lists at osh.id.au> wrote:
>
> I understand that MD5 is useful for checking for unintentionally
> corrupted downloads, but it seems to leave open the possibility for a
> subsequently maliciously altered archive (i.e., one that uses hash
> collisions to produce the same MD5, but which would fail a GPG signature
> check).

This comes up from time to time... I personally am not opposed to it,
theoretically it's a good idea, but it'd be a good bit of work for
everyone (admins, maintainers, even users would be impacted).

What might be feasible: have each maintainer GPG sign the source files
and include detached signatures (.asc) in the SlackBuild directory.
Would require a way for users to get the maintainers' public keys,
but there are public keyservers (and we could do the 'web of trust'
thing by signing each others' pub keys).

The .info file format wouldn't have to change at all. We'd just start
having one or more small .asc files included with the builds. Automated
tools could check for them and verify the signatures after the download.
If there's no signature, it would just say so, and continue the build.

Doing it this way puts the burden on the individual SlackBuild maintainers
instead of adding *yet more* work to the admins' workload, and it'd stay
backwards compatible...

Now that I think of it, this isn't at all my idea, someone on IRC was
talking about it. Are you the same person? If so, congratulations, you
sold me on the idea well enough that now I'm trying to sell it back to
you :)


More information about the SlackBuilds-users mailing list