On Mon, 2012-10-15 at 13:46 -0400, Michael Gilbert wrote:
Are there bug reports with a clear description of the problem,
preferably with a proposed fix? Discussion doesn't really get us
anywhere. Useful info and actual efforts at fixing problems do.
Well it's not that easy in that areas to
On 19 October 2012 09:19, Christoph Anton Mitterer
cales...@scientia.net wrote:
1) Programs (I usually mean apt or aptitude here don't give exit
statuses != 0 in all cases when something critical has happened.
The apt-utils are mostly ok at aborting with non-zero for critical
errors. Aptitude
On Thu, Oct 18, 2012 at 9:19 PM, Christoph Anton Mitterer wrote:
2) downgrade attacks
These have the same idea as blocking attacks (prevent the user to get
updates) but are a bit smarter.
You don't simply block any update requests, but rather you sent the user
old repository data. These are
On Mon, Oct 15, 2012 at 02:58:15AM +0200, Christoph Anton Mitterer wrote:
debsums is intended primarily as a way of determining what installed files
have been locally modified by the administrator or damaged by media errors
and is of limited use as a security tool.
If you are looking
On Sun, Oct 14, 2012 at 9:08 PM, Christoph Anton Mitterer wrote:
If so, please submit
bugs, and we will look at fixing them. Otherwise, speculation gets us
nowhere and actually wastes time.
Well I had once a discussion (around March this year) here about
blockin/downgrade attacks... which,
On 15 October 2012 18:46, Michael Gilbert mgilb...@debian.org wrote:
On Sun, Oct 14, 2012 at 9:08 PM, Christoph Anton Mitterer wrote:
If so, please submit
bugs, and we will look at fixing them. Otherwise, speculation gets us
nowhere and actually wastes time.
Well I had once a discussion
* Wouter Verhelst wou...@debian.org [121013 10:56]:
On Fri, Oct 12, 2012 at 09:17:32AM +0200, Bernhard R. Link wrote:
part at all) will only weaken security. So I think what you say is an
argument for keeping md5sum, so that noone think they can use that
information for security.
This
On Sun, Oct 14, 2012 at 01:14:19PM +0200, Bernhard R. Link wrote:
part at all) will only weaken security. So I think what you say is an
argument for keeping md5sum, so that noone think they can use that
information for security.
This argument is based on the incorrect assumption that
On Sun, 2012-10-14 at 17:25 +0600, Andrey Rahmatullin wrote:
debsums is intended primarily as a way of determining what installed files
have been locally modified by the administrator or damaged by media errors
and is of limited use as a security tool.
If you are looking for an integrity
On Fri, 2012-10-12 at 16:52 -0400, Michael Gilbert wrote:
On Fri, Oct 12, 2012 at 4:45 PM, Christoph Anton Mitterer wrote:
I wasn't talking about such an impossible task,... but there speaks
nothing against relatively easy things,... like securing all of our
package repository
On Fri, Oct 12, 2012 at 09:17:32AM +0200, Bernhard R. Link wrote:
part at all) will only weaken security. So I think what you say is an
argument for keeping md5sum, so that noone think they can use that
information for security.
This argument is based on the incorrect assumption that everyone
* Christoph Anton Mitterer cales...@scientia.net [121011 19:39]:
On Thu, 2012-10-11 at 11:35 -0500, Peter Samuelson wrote:
What makes sense is to use a hash that has the properties that are
needed for a particular application.
Well... I think that's only really required if performance is
On 12.10.2012 01:30, Christoph Anton Mitterer wrote:
I further looked around:
e.g. the Release file seems to only use MD5 not so good :(
You didn't look very far / well.
$ wget -O- -q http://ftp.debian.org/debian/dists/squeeze/Release | grep
-v ^
Origin: Debian
Label: Debian
Suite:
On Thu, Oct 11, 2012 at 7:38 PM, Christoph Anton Mitterer
cales...@scientia.net wrote:
algo,... not to mention that newer algos like Keccack are quite fast.
I wonder if it is really a good idea to search for a security checksum
based on the metric that it can be quickly calculated … but
On 12/10/12 12:10, David Kalnischkies wrote:
I wonder if it is really a good idea to search for a security checksum
based on the metric that it can be quickly calculated … but off-topic.
It depends what you're using it for: security is not magic pixie dust. A
hashing algorithm that is faster
Hi Paul.
On Fri, 2012-10-12 at 10:09 +0800, Paul Wise wrote:
I further looked around:
e.g. the Release file seems to only use MD5 not so good :(
Wrong, the Release file has had all 3 since sarge. woody had MD5 SHA-1.
Then what's this:
ftp://ftp.de.debian.org/debian/dists/sid/Release
On Fri, 2012-10-12 at 09:17 +0200, Bernhard R. Link wrote:
There is a disadvantage of having longer hashsums, thus making it harder
for people to compare. The only reason that for those md5 is optimal and
not crc32 is that there is only one md5 and there is a nice always
available tool to
On Fri, 2012-10-12 at 13:49 +0200, Christoph Anton Mitterer wrote:
Then what's this:
ftp://ftp.de.debian.org/debian/dists/sid/Release
Ah... my bad... the file is simply truncated at some point... but I
guess this most be a local error.
On Fri, 2012-10-12 at 08:26 +0100, Adam D. Barratt
On 12.10.2012 12:49, Christoph Anton Mitterer wrote:
On Fri, 2012-10-12 at 10:09 +0800, Paul Wise wrote:
I further looked around:
e.g. the Release file seems to only use MD5 not so good :(
Wrong, the Release file has had all 3 since sarge. woody had MD5
SHA-1.
Then what's this:
On 12 October 2012 13:03, Adam D. Barratt a...@adam-barratt.org.uk wrote:
I'm struggling to see what point you believe you're making here.
The point he was trying to make that he either caught a mirror during
update, or his connection was flaky, as he didn't fetch the complete
file, nor verify
On Fri, Oct 12, 2012 at 7:49 PM, Christoph Anton Mitterer
cales...@scientia.net wrote:
Then what's this:
ftp://ftp.de.debian.org/debian/dists/sid/Release
Sounds like you have a person in the middle hacking your network (or a
browser bug), it works for me:
pabs@chianamo ~ $ GET
On Friday, October 12, 2012 05:10:12 David Kalnischkies wrote:
On Thu, Oct 11, 2012 at 7:38 PM, Christoph Anton Mitterer
cales...@scientia.net wrote:
algo,... not to mention that newer algos like Keccack are quite fast.
I wonder if it is really a good idea to search for a security
On Fri, Oct 12, 2012 at 09:05:01AM -0600, Wesley J. Landaker wrote:
On Friday, October 12, 2012 05:10:12 David Kalnischkies wrote:
On Thu, Oct 11, 2012 at 7:38 PM, Christoph Anton Mitterer
cales...@scientia.net wrote:
algo,... not to mention that newer algos like Keccack are quite fast.
Hey Paul.
On Fri, 2012-10-12 at 20:48 +0800, Paul Wise wrote:
Sounds like you have a person in the middle hacking your network (or a
browser bug), it works for me:
*g* guess I somehow deserved that ;) ... and not even SHA-3 would have
protected me from not verifying against Release.asc ^^
On Fri, 2012-10-12 at 13:10 +0200, David Kalnischkies wrote:
Oh, and there is Description-md5. I can't imagine a scenario in which it
would be useful to change the English description of a package for an attack
(which you want to hide by displaying the translations of the not modified
version)
On Fri, Oct 12, 2012 at 4:31 PM, Christoph Anton Mitterer wrote:
But it's a general security paradigm, that one shouldn't just focus on
the attack vectors one can think of... but rather trying to secure
everything ;)
Which is impossible, or at least man-powerwise insurmountable. There
are
On Fri, 2012-10-12 at 16:37 -0400, Michael Gilbert wrote:
Which is impossible, or at least man-powerwise insurmountable. There
are something like 500 million lines of code in a Debian release.
I wasn't talking about such an impossible task,... but there speaks
nothing against relatively easy
On Fri, Oct 12, 2012 at 4:45 PM, Christoph Anton Mitterer wrote:
On Fri, 2012-10-12 at 16:37 -0400, Michael Gilbert wrote:
Which is impossible, or at least man-powerwise insurmountable. There
are something like 500 million lines of code in a Debian release.
I wasn't talking about such an
Hi folks.
AFAICS, secure APT and similar things (e.g. dpkg's file hash sums) still
use even MD5.
Wouldn't it make sense to start discussions about moving to the
strongest possible?
Or, like in the case of package files (dsc and friends) make a policy of
verifying all hashes, and fail if any
[Christoph Anton Mitterer]
Wouldn't it make sense to start discussions about moving to the
strongest possible?
No. What makes sense is to use a hash that has the properties that are
needed for a particular application.
To use your example of dpkg file checksums, their purpose has _nothing_
On Thu, 2012-10-11 at 11:35 -0500, Peter Samuelson wrote:
What makes sense is to use a hash that has the properties that are
needed for a particular application.
Well... I think that's only really required if performance is very
critical, e.g. when you're on embedded devices or so,... but the
On 2012-10-11 19:38, Christoph Anton Mitterer wrote:
On Thu, 2012-10-11 at 11:35 -0500, Peter Samuelson wrote:
What makes sense is to use a hash that has the properties that are
needed for a particular application.
Well... I think that's only really required if performance is very
critical,
On Thu, Oct 11, 2012 at 01:19:58AM +0200, Christoph Anton Mitterer wrote:
Hi folks.
AFAICS, secure APT and similar things (e.g. dpkg's file hash sums) still
use even MD5.
dpkg-genchanges and dak both generate md5, sha1 and sha256. So
.deb files themself are hashed by all 3 of them. A as
On Thu, Oct 11, 2012 at 08:18:55PM +0200, Kurt Roeckx wrote:
There are also the md5sums files that are stored in the .deb file.
I'm not really sure what the real use case for them is and
wouldn't have a problem with them going away.
debsums(1) aka what packages on my system are corrupt by a
On Fri, Oct 12, 2012 at 12:42:57AM +0600, Andrey Rahmatullin wrote:
On Thu, Oct 11, 2012 at 08:18:55PM +0200, Kurt Roeckx wrote:
There are also the md5sums files that are stored in the .deb file.
I'm not really sure what the real use case for them is and
wouldn't have a problem with them
Le Thu, Oct 11, 2012 at 08:18:55PM +0200, Kurt Roeckx a écrit :
MD5 is covered by policy, and it's the only mentioned in policy,
maybe that should change.
Hi Kurt and everybody,
For control files, Checksums-Sha1 and Checksums-Sha256 are covered in chapter
5, where they are marked as
On Thu, 2012-10-11 at 20:18 +0200, Kurt Roeckx wrote:
dpkg-genchanges and dak both generate md5, sha1 and sha256. So
.deb files themself are hashed by all 3 of them. A as far as I
know all tools that verify those files also check all 3 of those
hashes.
Ah? Ok... I somehow had in mind that a)
Kurt Roeckx wrote:
Andrey Rahmatullin wrote:
Kurt Roeckx wrote:
There are also the md5sums files that are stored in the .deb file.
I'm not really sure what the real use case for them is and
wouldn't have a problem with them going away.
debsums(1) aka what packages on my system are
On Fri, Oct 12, 2012 at 8:30 AM, Christoph Anton Mitterer wrote:
I further looked around:
e.g. the Release file seems to only use MD5 not so good :(
Wrong, the Release file has had all 3 since sarge. woody had MD5 SHA-1.
--
bye,
pabs
http://wiki.debian.org/PaulWise
--
To
On Fri, Oct 12, 2012 at 8:30 AM, Christoph Anton Mitterer wrote:
Sources files seems to use MD5, SHA1 and SHA256... though MD5 seems to
have a special status (Files vs. Checksums-algo).
That might be just historic, though.
Similarly the Packages files... MD5/SHA1/SHA256...
Only since wheezy
40 matches
Mail list logo