mbox

[pacman-dev,0/2] Deprecate md5sums, show sha256sums as an example-by-default.

Message ID 20170223213117.26155-1-mikeonthecomputer@gmail.com
Headers show

Message

Mike Swanson Feb. 23, 2017, 9:31 p.m. UTC
Both the MD5 and SHA-1 hash functions have known collision attacks,
providing an attack vector for malicious hosts and MITMs to provide
tampered code without being detected by md5, or sha1, hashing.

We should move to sha256-by-default, and encourage their use by
changing the documentation and example files to follow suit.  The
SHA-2 family of hashes are currently secure against normal attacks
(even at the scale of having Facebook's or Google's datacenters).  Int
the future, pacman should gain SHA-3 support though, because SHA-2
itself has some theoretical preimage attacks and possible collision
attacks.

Mike Swanson (2):
  proto: Encourage the use of sha256sums by example.
  doc, makepkg.conf: Deprecate md5sums, show examples using sha256sums.

 doc/PKGBUILD-example.txt   |  4 ++--
 doc/PKGBUILD.5.txt         | 31 +++++++++++++++++++------------
 doc/makepkg-template.1.txt |  2 +-
 etc/makepkg.conf.in        |  2 +-
 proto/PKGBUILD-split.proto |  2 +-
 proto/PKGBUILD-vcs.proto   |  2 +-
 proto/PKGBUILD.proto       |  2 +-
 7 files changed, 26 insertions(+), 19 deletions(-)