You are not logged in.

#1 2013-04-04 23:31:13

heinrich5991
Member
Registered: 2012-10-01
Posts: 13

Integrity check still defaults to md5 even after pacman 4.1.0

I wonder whether there is a specific reason for the integrity check in /etc/makepkg.conf to default to md5, since md5 is broken in terms of collisions.

Doesn't that enable evil people to use two different files where the integrity check should actually ensure that only one is served?

Edit: as the title suggests I thought it would change with pacman 4.1.0 :)

Last edited by heinrich5991 (2013-04-04 23:31:48)

Offline

#2 2013-04-04 23:43:30

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,365
Website

Re: Integrity check still defaults to md5 even after pacman 4.1.0

It is a quick download integrity check, not a source integrity check (PGP signatures should be used instead).  And you can change it to whatever you want...

Offline

#3 2013-04-05 09:06:25

heinrich5991
Member
Registered: 2012-10-01
Posts: 13

Re: Integrity check still defaults to md5 even after pacman 4.1.0

Allan wrote:

It is a quick download integrity check, not a source integrity check (PGP signatures should be used instead).  And you can change it to whatever you want...

It's not about the source check, I think I'm aware of that. However it is in place to ensure that all people having the same checksum in the PKGBUILD should get the *same* sources, which md5 isn't able to provide.

Offline

#4 2013-04-05 09:40:23

jacobopantoja
Member
From: Madrid
Registered: 2011-03-16
Posts: 44

Re: Integrity check still defaults to md5 even after pacman 4.1.0

Why md5 is not able to provide? A collision was generated once for server certificates, but doing a collision for a package is (as far as I know) impossible nowadays. We should move out from md5, but the probability of having a collision on data packages is very near to 0. Am I missing something?

Offline

Board footer

Powered by FluxBB