Re: [Gnu-arch-users] Re: MD5 is broken

[Tom Lord]

   From: Karel Gardas <address@hidden>

   I was in impression that patch signing was created mainly for making
   trusted archive mirrors on untrusted hosts possible.

In some sense it was, certainly.  From one perspective, the mirroring
process is just an arch transport layer even though it's implementation
recursively invokes higher levels of arch.

Regarded as an application layer, arch adds some redundant checks on
the transport and storage layers, and affords some pretty generic
hooks for signing of archive transactions.  That's a good place to
stop.  (CVS lacks such redundant checks and so notoriously fails on NFS
and historically was attacked in the Linux kernel project.)

Further security enhancements beyond those checks are apt to be,
at this point in history, "situation specific".  Add additional checksums
or fancier signing all you like: but it would take very rigorous work
to persuade me that the arch core should take on much of that burden.

-t