[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: improving downloader packages (was: Re: holes in secure apt)

(so not going to comment on the first part of the thread, beside maybe:
Its really sad that it is even suggested that DDs would need a technical
solution for the inherently social problem of a co-worker dying…)

On Wed, Jun 18, 2014 at 04:21:36AM +0200, Christoph Anton Mitterer wrote:
> On Mon, 2014-06-16 at 20:14 +0200, Jakub Wilk wrote: 
> > [0] And his skepticism was reinforced by (independent) discovery of this 
> > bug: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1098738
> *sigh*.... and this is still open? 8-O

Before someone is rushing to work on that (sorry, I was dreaming)…
we actually have a rework for hashsum handling in libapt in our
debian/experimental branch which as a minor sideeffect also solves this
one. Required quiet some amount of work, multiple api breaks still and
uhm… testing… but that is overrated. Someone checking this out would
still be welcomed…

> I mean MD5 is _really_ broken now... actually I think any secure APT

If you happen to have a same-size preimage attack on MD5 I would be
interested to hear about it.

(Its an interesting lesson in api design though. Having MD5 hardcoded in
the Files: field was a bad idea in hindsight. Makes you wonder what
horrible situation we were in before a time traveler made it less bad
with this design…)

> hash some type to be present (i.e. a secure one like SHA3, or SHA512)

One of the advantages of the previously mentioned rework is that it
would be quiet easy to add new hash implementations - provided we would
have an implementation available of course.

Best regards

David Kalnischkies

Attachment: signature.asc
Description: Digital signature

Reply to: