FS#50017 : use SHA-512 message digests for the ISO file releases

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#50017 - use SHA-512 message digests for the ISO file releases

Attached to Project: Community Packages
Opened by . (flysprayer) - Monday, 11 July 2016, 12:43 GMT
Last edited by Allan McRae (Allan) - Monday, 11 July 2016, 12:59 GMT

Task Type	Feature Request
Category	Security
Status	Closed
Assigned To	No-one
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

stop using MD5 and SHA-1 message digests

This task depends upon

Closed by Allan McRae (Allan)
Monday, 11 July 2016, 12:59 GMT
Reason for closing: Won't fix
Additional comments about closing: Use PGP

Comments (3)
Related Tasks (0/0)

Comment by Doug Newgard (Scimmia) - Monday, 11 July 2016, 12:52 GMT

Not sure what you're talking about here.

Comment by Christian Hesse (eworm) - Monday, 11 July 2016, 12:56 GMT

Possibly this is about the checksums for the official release media:
https://www.archlinux.org/download/

There's an easy solution... Use the PGP/GPG signature provided.

Comment by Allan McRae (Allan) - Monday, 11 July 2016, 12:58 GMT

The PGP signature supersedes and hash provided on a webpage. If someone can change our iso, they likely can adjust the hash on the webpage too. They can not make a valid PGP signature signed by a well cross-signed key.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

Community Packages

FS#50017 - use SHA-512 message digests for the ISO file releases

Details

Loading...