[Slackbuilds-users] Retire MD5 for SHA256
David O'Shaughnessy
lists at osh.id.au
Tue Aug 21 14:46:07 UTC 2018
On 08/10/2018 05:24 PM, B Watson wrote:
> This comes up from time to time... I personally am not opposed to it,
> theoretically it's a good idea, but it'd be a good bit of work for
> everyone (admins, maintainers, even users would be impacted).
>
> What might be feasible: have each maintainer GPG sign the source files
> and include detached signatures (.asc) in the SlackBuild directory.
> Would require a way for users to get the maintainers' public keys,
> but there are public keyservers (and we could do the 'web of trust'
> thing by signing each others' pub keys).
>
> The .info file format wouldn't have to change at all. We'd just start
> having one or more small .asc files included with the builds. Automated
> tools could check for them and verify the signatures after the download.
> If there's no signature, it would just say so, and continue the build.
>
> Doing it this way puts the burden on the individual SlackBuild maintainers
> instead of adding *yet more* work to the admins' workload, and it'd stay
> backwards compatible...
>
> Now that I think of it, this isn't at all my idea, someone on IRC was
> talking about it. Are you the same person? If so, congratulations, you
> sold me on the idea well enough that now I'm trying to sell it back to
> you :)
I wasn't the one who suggested this, but it seems like a pretty
reasonable solution!
--
Dave
More information about the SlackBuilds-users
mailing list