[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Guile 1.7.91 has been released.

From: Ludovic Courtès
Subject: Re: Guile 1.7.91 has been released.
Date: Tue, 14 Feb 2006 10:22:20 +0100
User-agent: Gnus/5.110004 (No Gnus v0.4) Emacs/21.4 (gnu/linux)


Marius Vollmer <address@hidden> writes:

> Well, they get to choose both texts that have a MD5 collision.
> Looking at the PostScript source reveals that the texts have been
> rigged, which should be enough if this goes to court.  In our case, an
> attacker would need to find a second meaningful text that collides
> with the text that we provide.  I guess that is much harder to do.

Well, since *you* are malicious, you could very well have prepared a
second tarball whose MD5 is the same and which you will propagate
during the days following the announcement.  ;-)

Seriously, this kind of attack is really about the level of trust one
can have in the *emitter* of the tarball and checksum.

> And the tarball is signed with a SHA1 hash anyway.  Maybe I should
> include the signature in the announcement and not a checksum...



reply via email to

[Prev in Thread] Current Thread [Next in Thread]