On Thu, 23 Feb 2017 at 16:31 Mike Swanson <mikeonthecompu...@gmail.com> wrote:
> Both the MD5 and SHA-1 hash functions have known collision attacks, > providing an attack vector for malicious hosts and MITMs to provide > tampered code without being detected by md5, or sha1, hashing. > > We should move to sha256-by-default, and encourage their use by > changing the documentation and example files to follow suit. The > SHA-2 family of hashes are currently secure against normal attacks > (even at the scale of having Facebook's or Google's datacenters). Int > the future, pacman should gain SHA-3 support though, because SHA-2 > itself has some theoretical preimage attacks and possible collision > attacks. <https://crypto.stackexchange.com/questions/26336/sha512-faster-than-sha256> points out that using sha512 is faster than sha256 so I'd rather not waste my time calculating hashes without a good reason > > Mike Swanson (2): > proto: Encourage the use of sha256sums by example. > doc, makepkg.conf: Deprecate md5sums, show examples using sha256sums. > > doc/PKGBUILD-example.txt | 4 ++-- > doc/PKGBUILD.5.txt | 31 +++++++++++++++++++------------ > doc/makepkg-template.1.txt | 2 +- > etc/makepkg.conf.in | 2 +- > proto/PKGBUILD-split.proto | 2 +- > proto/PKGBUILD-vcs.proto | 2 +- > proto/PKGBUILD.proto | 2 +- > 7 files changed, 26 insertions(+), 19 deletions(-) > > -- > 2.11.1 > -- Signed, Kieran Colford