Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#38543 - [pacman] Deprecate MD5 and SHA1 source checksums

Attached to Project: Arch Linux
Opened by Steven (Stebalien) - Thursday, 16 January 2014, 20:07 GMT
Last edited by Allan McRae (Allan) - Thursday, 16 January 2014, 20:49 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No


MD5 and SHA1 have been vulnerable to collision attacks since 2004. We should probably stop relying on it for source code verification.

It should be noted that MD5 is vulnerable to collision attacks, not preimage attacks so the attacker would need to be able to influence both inputs (the original file and the malicious replacement file). However this can be done by, for example, "donating" some new documentation or graphics to a project and thereby directly influencing the resulting MD5 checksum (compression, timestamps, and other variables makes this attack more difficult but not impossible).
This task depends upon

Closed by  Allan McRae (Allan)
Thursday, 16 January 2014, 20:49 GMT
Reason for closing:  Not a bug
Additional comments about closing:  Convince all upstream projects to sign their source or even provide checksums.