[Slackbuilds-users] MD5 hashes for source code

Willy Sudiarto Raharjo willysr at slackbuilds.org
Sat Jan 16 09:50:36 UTC 2016

> May I respectfully request the beginnings of a shift away from using MD5 hashes for upstream code? Collisions have been trivial to generate for a while now, so a man-in-the-middle attacker could easily substitute different source into the build process. This would completely circumvent the GPG signatures on the SBo tarballs.
> You could argue that I shouldn't be relying on the MD5 hashes when I could check the code from the upstream, but I'm already verifying the SBo tarball, why not make it cover both? As I believe it was intended originally. You can also call me paranoid and you would be right ;)
> A previous comment on the issue is here: http://thread.gmane.org/gmane.linux.slackware.slackbuilds.user/10771

It has been discussed here in a recent thread

Willy Sudiarto Raharjo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20160116/7d4d6160/attachment.asc>

More information about the SlackBuilds-users mailing list