tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: PKGSRC_SETENV?= ${SETENV} -i
On Fri, Jun 07, 2013 at 04:16:23PM +0200, Marc Espie wrote:
> On Fri, Jun 07, 2013 at 11:54:53PM +1200, David Sainty wrote:
> > The situation for fetching is Very Very different to building phases,
> > because there's already a repeatability firewall, in the form of
> > distinfo digests, that makes it impossible for misbehaviour in the fetch
> > phase to go unnoticed - and so the environment will never have any
> > bearing on the final contents of the package.
>
> Difficult, not impossible. Especially for a motivated attacker.
> Both md5 and sha1 have known birthday attacks.
>
> gzip, bzip2, tar, ignore garbage at end of archives...
pkgsrc distinfo information contains rmd160 and sha1 digests (and
size) information, so both would have to be second pre-imaged
together, in the same size of file, which is a bit harder.
Regards,
Alistair
Home |
Main Index |
Thread Index |
Old Index