[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] Re: MD5 is broken

From: Karel Gardas
Subject: Re: [Gnu-arch-users] Re: MD5 is broken
Date: Wed, 16 Mar 2005 11:51:10 +0100 (CET)

On Wed, 16 Mar 2005, Peter Conrad wrote:

> Hi,
> On Wed, Mar 16, 2005 at 12:26:30PM +0600, Ivan Boldyrev wrote:
> >
> > Tom Lord merges sexy patch.  Even if he will re-sign patch,
> > MD5 sum in ./checksum will be same because *.patches.tar.gz is same.
> this is wrong. If Tom merges your patch, he will automatically create
> additional log entries in his own branch. This (among other things, like
> changed timestamps) will lead to a file with a different MD5 sum.

I'm afraid the whole message is a bit different: hack the mirror, hack the
patch while keeping MD5 intack and let your attack to software X spread
thorough the world.

I've just now looked at tla and baz and found that at least mirror on: uses also
SHA-1 hashes. Since SHA-1 is also considered weak these days, this
does not add that much security, but certainly at least something
before arch move to some more secure hash implementation.

Karel Gardas                  address@hidden
ObjectSecurity Ltd. 

reply via email to

[Prev in Thread] Current Thread [Next in Thread]