On Fri, Oct 24, 2008 at 03:12:20PM -0500, Raphael Geissert wrote: > Bas Steendijk wrote: > > > > 2 files with a colliding hash can only be made by someone who can > > influence the creation of the file (thus, someone inside debian). he can > > make a "good" and a "bad" version of a package with the same MD5, and > > the same size. for someone to make a file with the same hash without > > influence in the creation of the original file would be a preimage attack. > > Yeah, but remember that the "bad" version must also be a valid .deb file with > something inside that does work; otherwise you may just be able to get some > random stuff with the same file size and md5 sum but without any use.
Additionally, it doesn't matter -- it's just the md5 in the email announcement. The Release and Packages files for the archive have SHA1 and SHA256. The md5 from the announcement is almost not important, IMO -- no one should download files individually from the announcement. -- Kees Cook @outflux.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
