[Slackbuilds-users] MD5 hash sums

Tim Dickson dickson.tim at googlemail.com
Wed Aug 22 21:53:34 UTC 2018 


On 22/08/2018 15:55, thyr at airmail.cc wrote:
>> Each SlackBuild archive is signed by the SBo devs, so any 
>> modifications on the server (or in-between) would fail subsequent 
>> verification. In that case it's the GPG signature that you trust to 
>> verify the .info file contents (and all the rest of the SlackBuild 
>> stuff), not the MD5 sum or whatever else is inside it.
>
> Sorry, the question I had in mind was about MD5 sums inside it. Seems 
> kind of strange that SlackBuild archive is protected by GPG signature, 
> but the actual source tarball is not signed and is protected by 
> (obsolete) MD5 checksum. Aren't this situation an opportunity to MITM 
> the source tarball itself, since some DOWNLOAD links are provided 
> trough plain HTTP?
unless you are running over public wifi or internet cafe, a MITM attack 
on a source gz is less likely than someone breaking in to your 
hoise/business and planting malware on your pc/laptop. It would mean 
your ISP was compromised, in  which case you have bigger issues to worry 
about than sourcde code frome some sites being changed on the fly.

When you bear in mind that source code is usually compressed, it is not 
so easy to change bits while keeping the md5 sum the same and also not 
causing the archive to be un-openable because of the changes.- the 
changes would break the checksums inside the gz file format.
>
> GnuPG FAQ quote (https://gnupg.org/faq/gnupg-faq.html#define_sha):
>
>> SHA-224, 256, 384, or 512: This is a massively-overhauled SHA-1 which 
>> generates larger hashes (224, 256, 384, or 512 bits). Right now, 
>> these are the strongest hashes in GnuPG.
>
> vs
>
>> MD5 is a 128-bit cryptographic hash function invented by Ron Rivest 
>> (the ‘R’ of ‘RSA’) in the early 1990s. For many years it was one of 
>> the standard algorithms of the field, but is now completely obsolete. 
>> For that reason, MD5 is not supported by GnuPG.
>
> Wouldn't it be better to use, say, SHA512 instead?
> _______________________________________________
> SlackBuilds-users mailing list
> SlackBuilds-users at slackbuilds.org
> https://lists.slackbuilds.org/mailman/listinfo/slackbuilds-users
> Archives - https://lists.slackbuilds.org/pipermail/slackbuilds-users/
> FAQ - https://slackbuilds.org/faq/
>

More information about the SlackBuilds-users mailing list