gnu-arch-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnu-arch-users] SHA1 sums for checksums file

From: Colin Walters
Subject: [Gnu-arch-users] SHA1 sums for checksums file
Date: Tue, 06 Jan 2004 05:52:49 -0500 
It came to my attention that tla was only including an MD5 sum of the
data inside the checksums file.  MD5 is considered weak by many in the
security community, especially if you don't also verify additional
information such as the file size.

Some references:

ftp://ftp.rsasecurity.com/pub/pdfs/bulletn4.pdf
http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html
http://www.nullify.org/openpgp.html

Therefore, as Tom and I briefly talked about on IRC, I went ahead and
added SHA1 sums.  Here are the requisite modifications to hackerlab:

address@hidden
  hackerlab
    hackerlab--main
      hackerlab--main--1.0
 
        base-0
          tag of address@hidden/hackerlab--devo--1.0--patch-16
 
        patch-1
          add mem_cpy
 
        patch-2
          add sha1 implementation, hacked up from coreutils
 
        patch-3
          add little sha1 utilities, include docs
 
And here's where it's added to tla:

address@hidden
  tla
    tla--mainline
      tla--mainline--1.2
 
        base-0
          tag of address@hidden/tla--devo--1.2--patch-50
 
        patch-1
          add SHA1 to checksums, verify it [INCOMPATIBLE CHANGE]
 
I was fairly verbose in the patch-1 patch log.  In case [INCOMPATIBLE
CHANGE] isn't clear enough - yes, you will have to re-checksum and
re-sign your archives.

My address@hidden archive is still using the old checksum
format, since otherwise it would be rather difficult for you to merge :)

Attachment: signature.asc
Description: This is a digitally signed message part

reply via email to
[Prev in Thread] Current Thread [Next in Thread]