[Slackbuilds-users] MD5 hash sums

David O'Shaughnessy lists at osh.id.au
Wed Aug 22 04:09:17 UTC 2018


On 08/21/2018 09:32 PM, thyr at airmail.cc wrote:
> Hello.
> 
> I have a question about DOWNLOAD and MD5SUM variables in the
> <package>.info files.
> 
> As this page https://www.gnupg.org/faq/weak-digest-algos.html states:
> 
>> It is better to entirely avoid the MD5 algorithm and don't put any
>> value in signatures based on MD5.
> 
> Would that be a valid concern for the .info files?
> 
> A lot of DOWNLOAD links are plain http ones and thus are suspectible to
> MITM tinkering on the ISP side...

Each SlackBuild archive is signed by the SBo devs, so any modifications
on the server (or in-between) would fail subsequent verification. In
that case it's the GPG signature that you trust to verify the .info file
contents (and all the rest of the SlackBuild stuff), not the MD5 sum or
whatever else is inside it.

--
Dave


More information about the SlackBuilds-users mailing list