Re: md5 package summaries on ftp server (was Re: System integrity)

To: Chris Leishman <masklin@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: md5 package summaries on ftp server (was Re: System integrity)
From: Jason Gunthorpe <jgg@ualberta.ca>
Date: Wed, 23 Jun 1999 12:40:45 -0600 (MDT)
Message-id: <[🔎] Pine.LNX.3.96.990623123910.27769A-100000@Wakko.deltatee.com>
In-reply-to: <[🔎] 19990624042828.A9338@ormond.unimelb.edu.au>

On Thu, 24 Jun 1999, Chris Leishman wrote:

> > 1. Somebody else recently said (on this mailing list) that md5sums can
> > be "faked" by increasing the length of the file. Hence I would store the
> > file length in the md5sum file (like with the *.changes file and *.dsc
> > file).
> 
> I still haven't seen any evidence of this...

Go read some of the crypto sites, if you can vary the size of the thing
you are computing a digest for and the digest does not include the size as
part of it's input then it is lots easier to attack MD5. You really should
include the size, ownership and permissions of each file+dir, then you can
make sure someone hasn't gone around and made something setuid that
shouldn't be or somesuch.

Jason

Reply to:

Follow-Ups:
- Re: md5 package summaries on ftp server (was Re: System integrity)
  - From: Chris Leishman <masklin@debian.org>

References:
- Re: md5 package summaries on ftp server (was Re: System integrity)
  - From: Chris Leishman <masklin@debian.org>

Prev by Date: Re: install-info --remove in prerm?
Next by Date: Niced cron jobs
Previous by thread: Re: md5 package summaries on ftp server (was Re: System integrity)
Next by thread: Re: md5 package summaries on ftp server (was Re: System integrity)
Index(es):
- Date
- Thread