[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Compromising Debian Repositories

On Sun, Aug 04, 2013 at 03:04:33AM +0000, adrelanos wrote:
> Volker Birk:> On Sat, Aug 03, 2013 at 10:38:34AM +0000, adrelanos wrote:
> > There will be the correct checksum, if the maintainer of the package
> > does it.
> Why?

How and by whom are checksums defined?

> > And if you're taking the build machine, you can inject “correct”
> > checksums, too.
> But that will get caught when someone else builds the package and comes
> up with a different checksum? Or do you talk about hash collisions?

No, I'm talking about the process by whom and when a checksum is
defined. Whoever is able to define checksums is able to circumvent each
security measure basing on such checksums.

To “define” does not mean she/he has to know a secret to apply the
checksum. I's enough that she/he is authorized to use the communication
channel where data is injected, for which then a checksum is computed.

> (Just saw, that you are discussing to move to safer hash algorithms,
> thats fine and also a separate issue.)

Now I'm surprised ;-) I think, this is not a matter of security of
checksums here. Of course, only a digital signature will do, or at least
a MAC. But I didn't talk about that yet, because I don't think it

To make that clear: I don't think this is a matter of security of the
procedure what we're discussing. It is a matter of trusting the involved

pibit AG, Oberer Graben 4, 8400 Winterthur
mailto:vb@pibit.ch  Mobile +41 (79) 292 88 87

Attachment: pgpDTc2nKo71a.pgp
Description: PGP signature

Reply to: