[Slackbuilds-users] MD5 hash sums

Brenton Earl brent at exitstatusone.com
Thu Aug 23 23:17:25 UTC 2018 

On Fri, 2018-08-24 at 01:59 +0300, thyr at airmail.cc wrote:
> > > > Each SlackBuild archive is signed by the SBo devs, so any
> > > > modifications on the server (or in-between) would fail
> > > > subsequent
> > > > verification. In that case it's the GPG signature that you
> > > > trust to
> > > > verify the .info file contents (and all the rest of the
> > > > SlackBuild
> > > > stuff), not the MD5 sum or whatever else is inside it.
> > > 
> > > Sorry, the question I had in mind was about MD5 sums inside it.
> > > Seems
> > > kind of strange that SlackBuild archive is protected by GPG
> > > signature,
> > > but the actual source tarball is not signed and is protected by
> > > (obsolete) MD5 checksum. Aren't this situation an opportunity to
> > > MITM
> > > the source tarball itself, since some DOWNLOAD links are
> > > provided 
> > > trough
> > > plain HTTP?
> > 
> > Sources are not protected by us. We do not provide the MD5 sum as
> > any
> > sort of security measure, it shouldn't be treated as one. We have
> > no
> > agency over upstream sources, and we purposefully do not host them,
> > so
> > we cannot provide any signature or sum that could be considered a
> > token
> > of security.
> 
> Thanks for the clarification. I'm still struggling getting the grasp
> of 
> it's effect though..
> 
> Quoting the FAQ from https://slackbuilds.org/faq/#asc
> 
> > What are all of those .asc files in the repository?
> > 
> > Those files are GPG signatures. They can be used to verify that
> > the 
> > SlackBuild script tarball is exactly the one that we placed on the 
> > site.
> 
> So, one can verify the authenticity of the SlackBuild script, but
> the 
> authenticity of the source tarball itself used by the aforementioned 
> script is uncertain? If that's the case then why would one bother
> with 
> verifying authenticity at all? (Something authentic) x (Something
> that 
> may or may not be authentic) == (Something that may or may not be 
> authentic), right?

The maintainer is supposed to take the GPG signature, MD5 or SHA check
sum from the upstream developer and use it to authenticate the source
prior to uploading a new/updated SlackBuild.  It is the maintainer's
job to verify the source before putting their own check sum into the
.info file.

-- 
Brenton Earl <brent at exitstatusone.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20180823/59153aa3/attachment.asc>

More information about the SlackBuilds-users mailing list