On Sat, 17 Apr 2021 07:45:16 +0200 (CEST) Sagar Acharya <sagaracha...@tutanota.com> wrote:
Dear Sagar, > Ok. But this is a behavioral change right? How can a patch help in > this case? > > Admins always protest the decision in almost every community if it > isn't theirs. Am I suggesting something harmful here? It takes a > minute to sign a release and this improves security. It makes sure > that user gets the same piece of code that the dev made. > > If that action helps suckless, why be reluctant because I initiated > that mail? Thanking you from what I can tell, most of the time package managers do hash confirmation by hand and then add a "known good" hash of their choosing to the package-script itself (e.g. on Gentoo with the ebuild manifest that is automatically generated from hand-validated files). In that regard, sha256 is fine. And always know your threat vectors: If someone powerful enough was interested in "forging" a hash for dwm, we'd have completely different problems. The attacker would probably just use another, more targeted, approach. And, in a way, keeping the choice of hashes up to the consumer (i.e. package manager) adds a great layer of protection, because then you have different hash functions running on the data, and it's impossible to then forge it for everyone. With best regards Laslo