FS#49676 : almost all of the PKGBUILD files of the packages in the official repositories must be corrected

FS#49676 - almost all of the PKGBUILD files of the packages in the official repositories must be corrected

Attached to Project: Arch Linux
Opened by . (bugreport) - Saturday, 11 June 2016, 17:28 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 11 June 2016, 17:34 GMT

Task Type	General Gripe
Category	Security
Status	Closed
Assigned To	No-one
Architecture	All
Severity	Critical
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

almost all of the PKGBUILD files of the packages in the official repositories still use MD5 and SHA-1 message digests, and public key fingerprints are missing, even from GNU software PKGBUILDs.

if the upstream provides SHA-256 (or better) message digests, then those must be used, otherwise SHA-512 message digests must be used.

FTP and HTTP sources must be avoided. HTTPS, other protocols that enable encrypted file transfers must be used.

a lot of the upstream URLs are broken or lead to the old and abandoned websites or the scheme of the URLs isn't 'https://' for HTTPS-enabled websites.

This task depends upon

Closed by Dave Reisner (falconindy)
Saturday, 11 June 2016, 17:34 GMT
Reason for closing: Duplicate
Additional comments about closing: ~~FS#38543~~

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#49676 - almost all of the PKGBUILD files of the packages in the official repositories must be corrected

Details

Loading...