Re: md5 hashes used in security announcements
Bas Steendijk wrote:
> 2 files with a colliding hash can only be made by someone who can
> influence the creation of the file (thus, someone inside debian). he can
> make a "good" and a "bad" version of a package with the same MD5, and
> the same size. for someone to make a file with the same hash without
> influence in the creation of the original file would be a preimage attack.
Yeah, but remember that the "bad" version must also be a valid .deb file with
something inside that does work; otherwise you may just be able to get some
random stuff with the same file size and md5 sum but without any use.
P.S. I'm not saying it is impossible (I actually don't know, but let's assume
that it is), but chances aren't high.
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net