On Thu, Jan 16, 2014 at 5:50 PM, Allan McRae <[email protected]> wrote: > On 17/01/14 08:41, Jason St. John wrote: >> MD5 has been significantly compromised for years; switching to a more >> secure hash function, such as SHA-1, is long overdue. >> >> Signed-off-by: Jason St. John <[email protected]> > > No. It is up to the packager to fill out the checksums with what is > provided upstream. Because if upstream do not provide the checksums, > they are pointless. Even better if upstream provides signatures. > > Allan > >
There are still two benefits to changing the default checksum: 1) The AUR uses HTTPS by default, which ensures that the source tarball has not been tampered with in transit. Using a better hash function reduces the chances of an attacker man-in-the-middle'ing end-users when they download the sources from upstream, even over unsecure connections (e.g. unencrypted Wi-Fi, regular HTTP). 2) Most packagers just leave the default option simply because it's the default, and I would argue that it is rare for packagers, especially AUR maintainers, to use the same checksum algorithm as upstream. To be honest, I didn't know that the purpose of the checksum was so it could be compared to upstream; I assumed it was a security mechanism for point 1, above. Jason
