[Slackbuilds-users] MD5 hash sums

Erik Hanson erik at slackbuilds.org
Fri Aug 24 03:36:05 UTC 2018 

On 8/23/18 5:59 PM, thyr at airmail.cc wrote:

> So, one can verify the authenticity of the SlackBuild script, but the
> authenticity of the source tarball itself used by the aforementioned
> script is uncertain? If that's the case then why would one bother with
> verifying authenticity at all? (Something authentic) x (Something that
> may or may not be authentic) == (Something that may or may not be
> authentic), right?

It's been mentioned in this thread enough times that MD5 has not fallen
to the attack you think it has, so I won't repeat that talking point,
but I will try and clarify something..

The checksums are not there to verify authenticity. Everyone seems to be
putting far too much stock in the MD5 sums in the .info files. I can't
stress this enough: they're not there for security.

You could almost think of it as a version number. If the file you
download matches the MD5 sum provided, then you know it's the same file
the maintainer used, and the same file the SlackBuild was tested against
by a SlackBuilds.org admin. This helps to ensure the SlackBuild will
work as intended, creating a valid package.

What the MD5 sum can, and does do on a regular basis, is raise a red
flag when it mismatches. Possibly the source has gone missing, or been
replaced by upstream without a change to the file name. These things
happen often enough that it's important we have a checksum, and that
people use it rather than complain that a SlackBuild is broken.

However, you absolutely cannot assume that because the MD5 sum matches
that the file is in any way "safe" or was not tampered with /before/ the
maintainer got to it. Auditing or policing upstream sources is far
beyond the scope of this project. We could use the strongest hashing
algorithm available, but telling people it's a mark of authenticity
would be nothing but theater.


-- 
Erik

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20180823/7ec8c210/attachment.asc>

More information about the SlackBuilds-users mailing list