[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

On Fri, Nov 25, 2005 at 07:59:40PM +0100, Florian Weimer wrote:
> * Anthony Towns:
> > (I'm amazed the security "crisis" we're having is about deb sigs
> > *again*, when we're still relying on md5sum which has a public exploit
> > available now...)
> These exploits are irrelevant as far as the Debian archive is
> concerned.  (And that's not because hardly any sarge user verifies the
> MD5 hashes, by the way. 8-)

Uh. You're seriously putting your reputation on that claim?

And md5 hashes have been verified since either slink or potato depending
on when you started using apt; possibly earlier if dselect methods used
them like they should have. debootstrap certainly verified them for
woody. And heck, they've been used in .changes since day 0.

> Moving away from MD5 is certainly not a bad idea, but it's not clear
> whether the alternatives are any better.  Sure, everyone recommends
> SHA-256 at this stage, but nobody can give a rationale.

MD5 is broken; SHA-1 is where MD5 was a couple of years ago, SHA256 (or
higher) are significantly harder to break in practice, and there's
nothing better yet.


Attachment: signature.asc
Description: Digital signature

Reply to: