tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]


On Fri, Jun 07, 2013 at 11:54:53PM +1200, David Sainty wrote:
> The situation for fetching is Very Very different to building phases,
> because there's already a repeatability firewall, in the form of
> distinfo digests, that makes it impossible for misbehaviour in the fetch
> phase to go unnoticed - and so the environment will never have any
> bearing on the final contents of the package.

Difficult, not impossible. Especially for a motivated attacker.
Both md5 and sha1 have  known birthday attacks.

gzip, bzip2, tar, ignore garbage at end of archives...

Home | Main Index | Thread Index | Old Index