[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnu-arch-users] crypto features and 1.2preX
From: |
Brian May |
Subject: |
Re: [Gnu-arch-users] crypto features and 1.2preX |
Date: |
Wed, 07 Jan 2004 11:13:34 +1100 |
User-agent: |
Gnus/5.1002 (Gnus v5.10.2) Emacs/21.3 (gnu/linux) |
>>>>> "Tom" == Tom Lord <address@hidden> writes:
Two questions:
Tom> * MD5 Checksums of Revision Data
[...]
Tom> When arch retrieves a file from an archive, it computes an
Tom> MD5 of the file it receives and compares that to the checksum
Tom> file. If they disagree, an error is signaled and the
Tom> operation is aborted.
1. I have heard, from other mailing lists, that it is feasible to
alter a file *and* *its* length* in such a way that it will produce
exactly the same MD5 Checksum. The moral of the story was you can't
rely on the MD5 checksum by itself, you need the MD5Sum + Length of
the data.
Does arch do the right thing here?
2. Is there anything to prevent me from doing this[1]?
[338] [scrooge:bam] ~/tmp/tree >tla my-id "Tom Lord <address@hidden>"
[339] [scrooge:bam] ~/tmp/tree >tla commit -s "My forgery"
M file
You need a passphrase to unlock the secret key for
user: "Brian May <address@hidden>"
1024-bit DSA key, ID 00530C24, created 2000-07-26
* commited address@hidden/test--devo--0.1--patch-1
[348] [scrooge:bam] ~/tmp/tree >tla revisions --creator
gpg: Signature made Wed 07 Jan 2004 10:54:51 EST using DSA key ID 00530C24
gpg: Good signature from "Brian May <address@hidden>"
gpg: aka "Brian May <address@hidden>"
base-0
Brian May <address@hidden>
gpg: Signature made Wed 07 Jan 2004 10:57:26 EST using DSA key ID 00530C24
gpg: Good signature from "Brian May <address@hidden>"
gpg: aka "Brian May <address@hidden>"
patch-1
Tom Lord <address@hidden>
Here, the signature is made with my key, but tla doesn't realize that
the creator field was forged.
--
Brian May <address@hidden>
- Re: [Gnu-arch-users] crypto features and 1.2preX,
Brian May <=