FS#38543 : [pacman] Deprecate MD5 and SHA1 source checksums

FS#38543 - [pacman] Deprecate MD5 and SHA1 source checksums

Attached to Project: Arch Linux
Opened by Steven (Stebalien) - Thursday, 16 January 2014, 20:07 GMT
Last edited by Allan McRae (Allan) - Thursday, 16 January 2014, 20:49 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	No-one
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	3 . (bugreport) (2016-06-11) Wyatt J. Brown (sushidude) (2014-03-07) John (graysky) (2014-01-16)
Private	No

Details

MD5 and SHA1 have been vulnerable to collision attacks since 2004. We should probably stop relying on it for source code verification.

It should be noted that MD5 is vulnerable to collision attacks, not preimage attacks so the attacker would need to be able to influence both inputs (the original file and the malicious replacement file). However this can be done by, for example, "donating" some new documentation or graphics to a project and thereby directly influencing the resulting MD5 checksum (compression, timestamps, and other variables makes this attack more difficult but not impossible).

https://web.archive.org/web/20080205102746/http://www.cryptography.com/cnews/hash.html

This task depends upon

Closed by Allan McRae (Allan)
Thursday, 16 January 2014, 20:49 GMT
Reason for closing: Not a bug
Additional comments about closing: Convince all upstream projects to sign their source or even provide checksums.

	Tasks related to this task (0)

Duplicate tasks of this task (2)
~~FS#39210 - The default integrity check algorithm used by makepkg is MD5.~~
~~FS#49676 - almost all of the PKGBUILD files of the packages in the official~~

Arch Linux

FS#38543 - [pacman] Deprecate MD5 and SHA1 source checksums

Details

Loading...