Subject: Re: Checksum for packages
To: None <firstname.lastname@example.org>
From: Ignatios Souvatzis <email@example.com>
Date: 12/21/2000 12:09:20
Content-Type: text/plain; charset=us-ascii
On Wed, Dec 20, 2000 at 04:22:02PM -0400, David Maxwell wrote:
> Even if md5 was weaker than it is, there is a check in place - someone
> needs to compromise (at least) the primary ftp server for a package, and
> replace it without detection, with a package that is a valid tar.gz (or
> whatever that package is shipped as), and that file mush collide the
This is not the relevant problem.
If somebody was to undetectedly compromise the ftp server, she could
replace the tar files AND the md5 signatures.
> It seems reasonable that we start creating checksum files with md5 AND
> SHA-1 hashes, or make the pkg tools install SHA-1 utilities on older
I mostly agree with this. If only so that should we switch to=20
using _signed_ hashes, we have a better hash to sign.
And we would need a _really secure way_ to create them, like
using read-only (non-networked) boxes to store the secret key, etc.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----