Subject: Re: Checksum for packages
To: None <tech-pkg@netbsd.org>
From: Ignatios Souvatzis <ignatios@cs.uni-bonn.de>
List: tech-pkg
Date: 12/21/2000 12:09:20
--i0/AhcQY5QxfSsSZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Dec 20, 2000 at 04:22:02PM -0400, David Maxwell wrote:

> Even if md5 was weaker than it is, there is a check in place - someone
> needs to compromise (at least) the primary ftp server for a package, and
> replace it without detection, with a package that is a valid tar.gz (or
> whatever that package is shipped as), and that file mush collide the
> hash.

This is not the relevant problem.

If somebody was to undetectedly compromise the ftp server, she could
replace the tar files AND the md5 signatures.

> It seems reasonable that we start creating checksum files with md5 AND
> SHA-1 hashes, or make the pkg tools install SHA-1 utilities on older
> boxes.

I mostly agree with this. If only so that should we switch to=20
using _signed_ hashes, we have a better hash to sign.

And we would need a _really secure way_ to create them, like
using read-only (non-networked) boxes to store the secret key, etc.

Regards,
	Ignatios

--i0/AhcQY5QxfSsSZ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: 2.6.i

iQEVAgUBOkHk2zCn4om+4LhpAQFnfggAq+lOiMOnvMN2pFhwoWbTNOt6fXHmEbcs
F9ArYhk1bqv+/sbvshGDkj++/9TVv6OHp9hijQMOefKwSD2PD0z+kgohO0bOhHdH
gE7Iiwm/+zQlQt3aOMyJaLS3f0tfFdNkQKVeL+cBqrULkjZkfZ3PKHcebCgx6HMU
mRm+gVa6lUvkMNu1OONU2vxyLF8DnRoIuRC6fmSdI/y4/fDwSG4wQihTyioeZE4C
6J82fLIk2V5hSfpQRsMPucrv0xvrujTri1SGWJKnm1ykVVcuY75NvbET+DqSOXm9
sIkl1o1tv2G6QYKyvq9cvifSGqdD1Z6ughwIcpgL0QskEs+M8ibvyw==
=8NPO
-----END PGP SIGNATURE-----

--i0/AhcQY5QxfSsSZ--