[Slackbuilds-users] MD5 hashes for source code
Willy Sudiarto Raharjo
willysr at slackbuilds.org
Sat Jan 16 09:50:36 UTC 2016
> May I respectfully request the beginnings of a shift away from using MD5 hashes for upstream code? Collisions have been trivial to generate for a while now, so a man-in-the-middle attacker could easily substitute different source into the build process. This would completely circumvent the GPG signatures on the SBo tarballs.
>
> You could argue that I shouldn't be relying on the MD5 hashes when I could check the code from the upstream, but I'm already verifying the SBo tarball, why not make it cover both? As I believe it was intended originally. You can also call me paranoid and you would be right ;)
>
> A previous comment on the issue is here: http://thread.gmane.org/gmane.linux.slackware.slackbuilds.user/10771
It has been discussed here in a recent thread
http://thread.gmane.org/gmane.linux.slackware.slackbuilds.user/11485/focus=11487
--
Willy Sudiarto Raharjo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20160116/7d4d6160/attachment.asc>
More information about the SlackBuilds-users
mailing list