Hi, thanks for the quick answer! On 04/29/2015 02:10 PM, Julian Andres Klode wrote: > I think we do not check sizes of indices, though. Only seem to be > checking a hashsum. About this I think you should do it like any deb file and verify the size of downloaded indexes. Depending on parsing stuff it could or not have collision-attacks on that also. If you have stuff like comments. This could be used to insert "computed stuff" to make it parse well and collide with some checksum. > That does not make much sense. The entire chain is verified by a single > hash in the GPG signature anyway. The thing of a single hash is that it could be created another different file with that same hash (adding some stuff to the file). You guys are preventing this doing file size checking, and it works perfectly. I was only saying if you use two different algorithms for hashing and verifying both hashes there will be (and maybe not even possible) to match both hashes (colliding both hashing algorithms [if they work differently, perhaps SHA1 and SHA256 may collide using the bigger block]). (in deb packages they have MD5 and SHA1 listed for retro-compatibility on available hashing algorithms) It was just another thought. Once again thanks for the explanation and quick answer! Cheers! Best regards, HT
Attachment:
signature.asc
Description: OpenPGP digital signature