On 17/01/14 09:56, Jason St. John wrote: > On Thu, Jan 16, 2014 at 5:50 PM, Allan McRae <[email protected]> wrote: >> On 17/01/14 08:41, Jason St. John wrote: >>> MD5 has been significantly compromised for years; switching to a more >>> secure hash function, such as SHA-1, is long overdue. >>> >>> Signed-off-by: Jason St. John <[email protected]> >> >> No. It is up to the packager to fill out the checksums with what is >> provided upstream. Because if upstream do not provide the checksums, >> they are pointless. Even better if upstream provides signatures. >> >> Allan >> >> > > There are still two benefits to changing the default checksum: > 1) The AUR uses HTTPS by default, which ensures that the source > tarball has not been tampered with in transit. Using a better hash > function reduces the chances of an attacker man-in-the-middle'ing > end-users when they download the sources from upstream, even over > unsecure connections (e.g. unencrypted Wi-Fi, regular HTTP). > 2) Most packagers just leave the default option simply because it's > the default, and I would argue that it is rare for packagers, > especially AUR maintainers, to use the same checksum algorithm as > upstream. To be honest, I didn't know that the purpose of the checksum > was so it could be compared to upstream; I assumed it was a security > mechanism for point 1, above. >
If packagers are just using the default, then it is unlikely they have checked if upstream actually provided checksums and the relatively useless anyway. Allan
