2014/1/12 Taylor Hornby ha...@defuse.ca
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/12/2014 01:56 PM, Kyle Terrien wrote:
On 01/12/2014 12:40 PM, Taylor Hornby wrote:
I guess I just don't understand what happens when I type
pacman -S firefox. Does that run the PKGBUILD on my
On 13 January 2014 00:58, Taylor Hornby ha...@defuse.ca wrote:
If so, this should be fixed as soon as possible. How feasible would it
be? Could it be as simple as making a script that:
1. Finds the 'source' and 'md5sums' lines.
2. Downloads the packages and checks the md5sums.
3. Computes
On 01/13/2014 02:49 AM, Rashif Ray Rahman wrote:
On 13 January 2014 00:58, Taylor Hornby ha...@defuse.ca wrote:
If so, this should be fixed as soon as possible. How feasible would it
be? Could it be as simple as making a script that:
1. Finds the 'source' and 'md5sums' lines.
2.
On 01/11/14 at 11:09pm, Taylor Hornby wrote:
I noticed that the TrueCrypt package is downloaded over an insecure FTP
connection and then only verified using MD5 hashes.
https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/truecrypt
There are practical
On 12 January 2014 14:09, Taylor Hornby ha...@defuse.ca wrote:
Are there other packages still being verified with MD5? Can we fix them
too? I'll gladly donate my time if it's not something that can be automated.
Of the 4890 base packages shown by ABS, 2988 are MD5-only. That is
61%, or more
Am 12.01.2014 10:21, schrieb Jelle van der Waa:
On 01/11/14 at 11:09pm, Taylor Hornby wrote:
...
SHA256 hashes won't fix anything, since hashes are only integritiy checks
telling you the downloaded file isn't corrupt.
Signatures however are made to verify that the content isn't modified on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/12/2014 02:21 AM, Jelle van der Waa wrote:
SHA256 hashes won't fix anything, since hashes are only integritiy
checks telling you the downloaded file isn't corrupt.
Right. I assumed it was the PKGBUILD that was signed and verified,
then it was
On 01/12/2014 02:58 AM, Rashif Ray Rahman wrote:
On 12 January 2014 14:09, Taylor Hornby ha...@defuse.ca wrote:
Are there other packages still being verified with MD5? Can we fix them
too? I'll gladly donate my time if it's not something that can be automated.
Of the 4890 base packages shown
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/12/2014 09:30 AM, Taylor Hornby wrote:
The .sig file on the FTP server is the same one you can download
from the TrueCrypt website. If it's used to verify the packages,
the client needs a secure way to get the TrueCrypt Foundation's
public
On Sun, 12 Jan 2014 09:30:04 -0700
Taylor Hornby ha...@defuse.ca wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/12/2014 02:21 AM, Jelle van der Waa wrote:
SHA256 hashes won't fix anything, since hashes are only integritiy
checks telling you the downloaded file isn't corrupt.
On Sat, 2014-01-11 at 23:09 -0700, Taylor Hornby wrote:
I noticed that the TrueCrypt package is downloaded over an insecure FTP
connection and then only verified using MD5 hashes.
https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/truecrypt
There are
On 01/12/14 at 09:58am, Taylor Hornby wrote:
On 01/12/2014 02:58 AM, Rashif Ray Rahman wrote:
On 12 January 2014 14:09, Taylor Hornby ha...@defuse.ca wrote:
Are there other packages still being verified with MD5? Can we fix them
too? I'll gladly donate my time if it's not something that can
On 01/12/2014 10:11 AM, Mark Lee wrote:
Perhaps I'm not strong enough in mathematics but I'd like to know how
possible md5 collisions can be weaponized. From what I see, the idea
would be to modify a binary such that it contains malicious code
(without changing the md5sum). Since most security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12.1.2014 19:29, Taylor Hornby wrote:
On 01/12/2014 10:11 AM, Mark Lee wrote:
Perhaps I'm not strong enough in mathematics but I'd like to know
how possible md5 collisions can be weaponized. From what I see,
the idea would be to modify a binary
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/12/2014 10:27 AM, Jelle van der Waa wrote:
No, you don't rely on hashes for security, hashes are for
integrity checks. Signatures are for the verification of a file or
message, since anyone can replace the hash on the server and upload
a new
On Sun, Jan 12, 2014 at 9:40 PM, Taylor Hornby ha...@defuse.ca wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/12/2014 10:27 AM, Jelle van der Waa wrote:
No, you don't rely on hashes for security, hashes are for
integrity checks. Signatures are for the verification of a file or
On 01/12/2014 12:40 PM, Taylor Hornby wrote:
I guess I just don't understand what happens when I type pacman -S
firefox. Does that run the PKGBUILD on my system, or does it download
and install pre-compiled (and signed) Firefox binaries that were
created by one of the Arch developers using the
Hi,
I believe the topic stater has concerns about weakness of the MD5 hash
algorithm. He suggests to deprecate md5sums=() and use cryptographic
hash algorithm like SHA256. Personally I avoid MD5 in my packages
because of its bad reputation. But I am not an crypto expert though.
I have been
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/12/2014 01:56 PM, Kyle Terrien wrote:
On 01/12/2014 12:40 PM, Taylor Hornby wrote:
I guess I just don't understand what happens when I type
pacman -S firefox. Does that run the PKGBUILD on my system,
or does it download and install
On Sun, 2014-01-12 at 11:29 -0700, Taylor Hornby wrote:
On 01/12/2014 10:11 AM, Mark Lee wrote:
Perhaps I'm not strong enough in mathematics but I'd like to know how
possible md5 collisions can be weaponized. From what I see, the idea
would be to modify a binary such that it contains
On Sun, 2014-01-12 at 16:29 -0500, Mark Lee wrote:
On Sun, 2014-01-12 at 11:29 -0700, Taylor Hornby wrote:
On 01/12/2014 10:11 AM, Mark Lee wrote:
Perhaps I'm not strong enough in mathematics but I'd like to know how
possible md5 collisions can be weaponized. From what I see, the idea
On Sun, 2014-01-12 at 16:37 -0500, Mark Lee wrote:
On Sun, 2014-01-12 at 16:29 -0500, Mark Lee wrote:
On Sun, 2014-01-12 at 11:29 -0700, Taylor Hornby wrote:
On 01/12/2014 10:11 AM, Mark Lee wrote:
Perhaps I'm not strong enough in mathematics but I'd like to know how
possible md5
On 01/12/2014 01:13 PM, Taylor Hornby wrote:
Thank you, that makes so much more sense!
So, really, the vulnerability only exists while the Arch dev (or
package maintainer or whatever they're called) is building the
package. Once they do, and sign it, all Arch users will verify their
23 matches
Mail list logo