Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#25764 - Enforce SHA usage in (new) PKGBUILDs.

Attached to Project: Arch Linux
Opened by einar (esjurso) - Friday, 26 August 2011, 03:59 GMT
Last edited by Andrea Scarpino (BaSh) - Friday, 02 December 2011, 11:40 GMT
Task Type Feature Request
Category Arch Projects
Status Closed
Assigned To No-one
Architecture All
Severity Very Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No


I suggest a change in policy that requires maintainers to use SHA in official PKGBUILDs that are newly created or modified.

I also suggest that makepkg -g should default to SHA.
This task depends upon

Closed by  Andrea Scarpino (BaSh)
Friday, 02 December 2011, 11:40 GMT
Reason for closing:  Not a bug
Additional comments about closing:  This isn't the right way to secure PKGBUILDs
Comment by Pierre Schmitz (Pierre) - Friday, 26 August 2011, 16:02 GMT
Any reason for that? Note that these sums are not about security but just a simple integrity check.
Comment by Jan de Groot (JGC) - Saturday, 27 August 2011, 18:50 GMT
If you care about security, the whole -g flag is bogus. It's not about the hash you use, but about where you get it from. Downloading a source tarball and adding its md5sum, sha1sum or sha256sum automatically is not secure at all.
IMHO developers should always replace the signature with what is in the announcement email from upstream.
Comment by Jelle van der Waa (jelly) - Sunday, 28 August 2011, 20:14 GMT
Source sig checking should be the solution for the problem, not using another checksum.
Which makepkg can btw.
Comment by einar (esjurso) - Monday, 29 August 2011, 17:40 GMT
What If i don't trust the host but trust the PKGBUILD creator (and the Arch Servers in this case.) and I'm merely interested in getting the same source tarball that was used in building the official package?
Comment by Dan McGee (toofishes) - Monday, 29 August 2011, 21:41 GMT
Then you need a signed PKGBUILD/source package, not just some newer hash. Given that 90% of the values in current PKGBUILDs come from `makepkg -g >> PKGBUILD`, as Jan has stated, these are truly only integrity checks, not meant to be cryptographically secure hashes.