[Slackbuilds-users] MD5 hash sums

thyr at airmail.cc thyr at airmail.cc
Thu Aug 23 22:59:59 UTC 2018

>>> Each SlackBuild archive is signed by the SBo devs, so any
>>> modifications on the server (or in-between) would fail subsequent
>>> verification. In that case it's the GPG signature that you trust to
>>> verify the .info file contents (and all the rest of the SlackBuild
>>> stuff), not the MD5 sum or whatever else is inside it.
>> Sorry, the question I had in mind was about MD5 sums inside it. Seems
>> kind of strange that SlackBuild archive is protected by GPG signature,
>> but the actual source tarball is not signed and is protected by
>> (obsolete) MD5 checksum. Aren't this situation an opportunity to MITM
>> the source tarball itself, since some DOWNLOAD links are provided 
>> trough
>> plain HTTP?
> Sources are not protected by us. We do not provide the MD5 sum as any
> sort of security measure, it shouldn't be treated as one. We have no
> agency over upstream sources, and we purposefully do not host them, so
> we cannot provide any signature or sum that could be considered a token
> of security.

Thanks for the clarification. I'm still struggling getting the grasp of 
it's effect though..

Quoting the FAQ from https://slackbuilds.org/faq/#asc

> What are all of those .asc files in the repository?
> Those files are GPG signatures. They can be used to verify that the 
> SlackBuild script tarball is exactly the one that we placed on the 
> site.

So, one can verify the authenticity of the SlackBuild script, but the 
authenticity of the source tarball itself used by the aforementioned 
script is uncertain? If that's the case then why would one bother with 
verifying authenticity at all? (Something authentic) x (Something that 
may or may not be authentic) == (Something that may or may not be 
authentic), right?

More information about the SlackBuilds-users mailing list