Welcome to the Pacman bug tracker. Please search the current bugs and feature requests before filing a new one! Use advanced search and select "Search in Comments".

* Please select the correct category and version.
* Write a descriptive summary, background info, and provide a reproducible test case whenever possible.

FS#47141 - get rid of md5sums=() in PKGBUILD.proto and other files

Attached to Project: Pacman
Opened by Max Bruckner (FSMaxB) - Saturday, 21 November 2015, 23:30 GMT
Last edited by Allan McRae (Allan) - Monday, 14 December 2015, 13:44 GMT
Task Type General Gripe
Category Documentation
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version 4.2.1
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


The following files in /usr/share/pacman still use md5sums for the array of file checksums:

This probably results in many new packages using md5 by default, which shouldn't be the case because it's been broken for a long time now.

It would be better to use another hash function like sha512.

I added a patch that does this. I can't seem to find all of the files listed above in the git source tree though, maybe they are generated?
This task depends upon

Closed by  Allan McRae (Allan)
Monday, 14 December 2015, 13:44 GMT
Reason for closing:  Duplicate
Additional comments about closing:   FS#12772 
Comment by Allan McRae (Allan) - Saturday, 21 November 2015, 23:44 GMT
A PKGBUILD should use the checksums/signatures provided by upstream. There is no added security if upstream do not provide such details.
Comment by Max Bruckner (FSMaxB) - Saturday, 21 November 2015, 23:52 GMT
Yes, but that works on the assumption that the packager actually copies checksums provided by upstream one to one. In that case, the default hashing algorithm has no impact on the security.

The case is different though, if no checksum provided by upstream was used, which I think is much more likely to happen for most AUR packages. And this is the case I want to cover with this change. This way it's at least possible to ensure with higher certainty that one has downloaded the same file as the packager.
Comment by Max Bruckner (FSMaxB) - Saturday, 21 November 2015, 23:55 GMT
The use of md5sum as default might also lead people into thinking that it is still OK to use MD5 to ensure file integrity, by legitimizing it's use in general.
Comment by Dave Reisner (falconindy) - Sunday, 22 November 2015, 00:30 GMT
Seems like a duplicate of  FS#12772 .
Comment by Max Bruckner (FSMaxB) - Sunday, 22 November 2015, 00:41 GMT
I havent seen  FS#12772 . The general idea is the same: Don't actively encourage the use of MD5.

I hope this is properly reconsidered since the world has changed a lot since 2009.