linux-from-scratch/lfs-buildscripts
1
0
Fork 0
mirror of https://github.com/YellowJacketLinux/lfs-buildscripts.git synced 2025-01-23 14:32:20 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
main
lfs-buildscripts/versions.md
YellowJacketLinux efa84c281b Note on checksums
2024-10-02 15:18:53 -07:00

22 lines
967 B
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

The versions.sh Script
======================
This build of LFS 12.2 has some differences in from The Book. These
differences are mostly academic in nature.
One issue I have with the LFS book is that it uses MD5 hashes to verify the
source tarball. MD5 is no longer suitable for that purpose and has not been
suitable for that purpose for quite some time now.
MD5 hashes do validate that the downloaded file was not corrupted during the
file retrieval but they do not validate that the file on the server has not
been tampered with.
The `versions.sh` script here specifies the SHA256 hash of the upstream source
file so that in addition to verifying that the download is not corrupt, the
upstream file has not been tampered with.
Granted, a GPG signature is needed to be completely confident, but unless the
attacker has modified the SHA256 checksum within the `versions.sh` script, the
checksum in the script can be used to validate the upstream package.
Reference in New Issue View Git Blame Copy Permalink