[Slackbuilds-users] MD5 hash sums

Erik Hanson erik at slackbuilds.org
Thu Aug 23 00:41:25 UTC 2018

On 8/22/18 9:55 AM, thyr at airmail.cc wrote:
>> Each SlackBuild archive is signed by the SBo devs, so any
>> modifications on the server (or in-between) would fail subsequent
>> verification. In that case it's the GPG signature that you trust to
>> verify the .info file contents (and all the rest of the SlackBuild
>> stuff), not the MD5 sum or whatever else is inside it.
> Sorry, the question I had in mind was about MD5 sums inside it. Seems
> kind of strange that SlackBuild archive is protected by GPG signature,
> but the actual source tarball is not signed and is protected by
> (obsolete) MD5 checksum. Aren't this situation an opportunity to MITM
> the source tarball itself, since some DOWNLOAD links are provided trough
> plain HTTP?

Sources are not protected by us. We do not provide the MD5 sum as any
sort of security measure, it shouldn't be treated as one. We have no
agency over upstream sources, and we purposefully do not host them, so
we cannot provide any signature or sum that could be considered a token
of security.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20180822/17ba0a38/attachment-0001.asc>

More information about the SlackBuilds-users mailing list