Control: tags 423902 = wontfix Control: tags 665921 = wontfix Control: severity 665921 wishlist Control: merge 423902 665921
Hello again Christoph, others Thanks for your continued interest and feedback regarding security in apt. In Bug#423902, Colin Watson <[email protected]> wrote: > On Mon, May 14, 2007 at 10:20:18PM +0200, Thomas Geyer wrote: > > Package: apt > > Version: 0.6.46.4 > > Severity: wishlist > > > > > > Collisions for md5 and sha1 were found allready, > > so it's likely, that in the nearer future one of them alone won't be > > safe enough. > > > > Since it is harder to find collisions for two checksums than for one, > > apt should use both of them at the same time for verifying packages. > > This demonstrates a common misconception about hash algorithm, I'm > afraid. Search for "multicollisions" to find papers debunking the > usefulness of this technique. In short, concatenating MD5 and SHA1 adds > approximately six bits of security over using SHA1 alone, which is > unlikely to be worth the computational effort of doing so. In Bug#423902, Christoph Anton Mitterer <[email protected]> wrote: > Package: apt > Version: 0.8.15.10 > Severity: important > Tags: security Downgrading the severity and removing security tag. All potential security issues are covered elsewhere (i.e. check md5 when sha256 available). Not checking every digest has a negligible impact on security. > Hi. > > I hope this isn't a duplicate (with ~900 bugs, I may have overseen one ;-) ). > > APT uses hash sum verifications in many places (hopefully all). > > The files in /var/lib/apt/lists/ provide different kinds of hashsums (MD5, > SHA*) > in all "kinds" of files, Release, Packages and Sources. > > I made some simple tests, modifying these sums and doing actions. > > It seems that for different actions (I tried with apt-get "download" and > "source"), > different hashsums are looked at. > E.g. for one of them it was "just" MD5, which is known to be quite weak now. See <https://bugs.launchpad.net/bugs/1098738> and <https://bugs.launchpad.net/bugs/1098752> for these issues. The main part of your post concerns this idea: > May I suggest to do the following: > Validate ALL available, and if only one of them fails, consider the > verification > to be failed. > > The above should be the default. Colin's response adequately covers why this will not be done. Merging and +wontfix as appropriate. Regards -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
