[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnu-arch-users] SHA1 sums for checksums file
From: |
Colin Walters |
Subject: |
[Gnu-arch-users] SHA1 sums for checksums file |
Date: |
Tue, 06 Jan 2004 05:52:49 -0500 |
It came to my attention that tla was only including an MD5 sum of the
data inside the checksums file. MD5 is considered weak by many in the
security community, especially if you don't also verify additional
information such as the file size.
Some references:
ftp://ftp.rsasecurity.com/pub/pdfs/bulletn4.pdf
http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html
http://www.nullify.org/openpgp.html
Therefore, as Tom and I briefly talked about on IRC, I went ahead and
added SHA1 sums. Here are the requisite modifications to hackerlab:
address@hidden
hackerlab
hackerlab--main
hackerlab--main--1.0
base-0
tag of address@hidden/hackerlab--devo--1.0--patch-16
patch-1
add mem_cpy
patch-2
add sha1 implementation, hacked up from coreutils
patch-3
add little sha1 utilities, include docs
And here's where it's added to tla:
address@hidden
tla
tla--mainline
tla--mainline--1.2
base-0
tag of address@hidden/tla--devo--1.2--patch-50
patch-1
add SHA1 to checksums, verify it [INCOMPATIBLE CHANGE]
I was fairly verbose in the patch-1 patch log. In case [INCOMPATIBLE
CHANGE] isn't clear enough - yes, you will have to re-checksum and
re-sign your archives.
My address@hidden archive is still using the old checksum
format, since otherwise it would be rather difficult for you to merge :)
signature.asc
Description: This is a digitally signed message part
- [Gnu-arch-users] SHA1 sums for checksums file,
Colin Walters <=