Re: [Gnu-arch-users] Re: MD5 is broken

gnu-arch-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] Re: MD5 is broken

From:	Karel Gardas
Subject:	Re: [Gnu-arch-users] Re: MD5 is broken
Date:	Wed, 16 Mar 2005 11:51:10 +0100 (CET)

On Wed, 16 Mar 2005, Peter Conrad wrote:

> Hi,
>
> On Wed, Mar 16, 2005 at 12:26:30PM +0600, Ivan Boldyrev wrote:
> >
> > Tom Lord merges sexy patch.  Even if he will re-sign patch,
> > MD5 sum in ./checksum will be same because *.patches.tar.gz is same.
>
> this is wrong. If Tom merges your patch, he will automatically create
> additional log entries in his own branch. This (among other things, like
> changed timestamps) will lead to a file with a different MD5 sum.

I'm afraid the whole message is a bit different: hack the mirror, hack the
patch while keeping MD5 intack and let your attack to software X spread
thorough the world.

I've just now looked at tla and baz and found that at least mirror on:
http://bazaar.canonical.com/archives/address@hidden/ uses also
SHA-1 hashes. Since SHA-1 is also considered weak these days, this
does not add that much security, but certainly at least something
before arch move to some more secure hash implementation.

Cheers,
Karel
--
Karel Gardas                  address@hidden
ObjectSecurity Ltd.           http://www.objectsecurity.com

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Gnu-arch-users] Re: MD5 is broken, (continued)

Prev by Date: Re: [Gnu-arch-users] Re: MD5 is broken
Next by Date: Re: [Gnu-arch-users] Re: MD5 is broken
Previous by thread: Re: [Gnu-arch-users] Re: MD5 is broken
Next by thread: Re: [Gnu-arch-users] Re: MD5 is broken
Index(es):
- Date
- Thread