FS#10573 - Elinks package has no md5sums

Attached to Project: Arch Linux
Opened by David Rosenstrauch (darose) - Tuesday, 03 June 2008, 01:08 GMT
Last edited by Eric Belanger (Snowman) - Wednesday, 04 June 2008, 01:15 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Damir Perisa (damir.perisa)
Eric Belanger (Snowman)
Architecture All
Severity Low
Priority Normal
Reported Version 2007.08-2
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Like the description says, elinks package has no md5sums, and so gives a warning when building it via makepkg.

This is obviously a potential security risk.
This task depends upon

Closed by  Eric Belanger (Snowman)
Wednesday, 04 June 2008, 01:15 GMT
Reason for closing:  Fixed
Additional comments about closing:  fixed in elinks-0.11.4rc1-2
Comment by David Rosenstrauch (darose) - Tuesday, 03 June 2008, 01:15 GMT
Hmmm .... upon further investigation, I'm even more confused:

Firefox package doesn't have md5sums either; kernel26 does.

What's the rule here? Are md5sums optional on official packages? Or are they ommitted on all/sum packages in extra? Or is this indeed a bug?
Comment by Aaron Griffin (phrakture) - Tuesday, 03 June 2008, 16:09 GMT
It's not a "bug", it's not a "security risk", it's just a minor oversight.

The best thing to do is to simply email the maintainer and say "hey, whoops, you forgot these"
Comment by David Rosenstrauch (darose) - Tuesday, 03 June 2008, 18:03 GMT
It may be an oversight, but it is a security risk too. If someone rebuilds a package and finds that the md5sums for the source archives differ from the ones used to build the package previously, then there's a strong chance that either the original or subsequent source archives (or both) have been compromised.

Anyway, I'll contact the relevant maintainers. Feel free to close this.
Comment by Aaron Griffin (phrakture) - Tuesday, 03 June 2008, 19:11 GMT
md5sums are not and never have been for security. They are for _integrity_
Comment by David Rosenstrauch (darose) - Tuesday, 03 June 2008, 19:22 GMT
You're right. I stand corrected.

http://en.wikipedia.org/wiki/MD5#Applications
Comment by Eric Belanger (Snowman) - Wednesday, 04 June 2008, 00:25 GMT
I'll need to rebuild elinks because of an upcoming gpm soname bump: http://archlinux.org/pipermail/arch-dev-public/2008-June/006402.html
So this bug will be fixed at the same time.

Loading...