Bernd Eckenfels [EMAIL PROTECTED] writes:
In article [EMAIL PROTECTED] you wrote:
I don't understand why DSAs for etch include md5sums and manual upgrade
instructions at all. Apt can verify the checksum and gpg signature and
handle the upgrade after all, and probably more securely than the
* Steffen Schulz:
On 070613 at 10:43, Florian Weimer wrote:
AND the fact that it needs to be a valid .deb archive, they are
probably more than strong enough.
This is actually not much of a problem:
http://www.cits.rub.de/MD5Collisions/
One example how to create two files with same hash
* Steffen Schulz:
If for whatever reason people get untrustworthy, it would be nice to
know as soon as possible, no? Government, Money, ..
Well, in this case, you're barking up the wrong tree. What you really
want is some kind of audit trail, which might increase confidence in
the integrity
In article [EMAIL PROTECTED] you wrote:
Then they can wget the Release.gpg file, Release file, Packages file
and check each in turn. Their choice.
Which is much more complicated than checking a given fingerprint (which is
very usual for Advisories)
Gruss
Bernd
--
To UNSUBSCRIBE, email to
could distribute nice binaries and then inject
malicious packets to certain targets.
The overall point of writing my comment:
Don't check all conditions, protocols, use cases.
Just replace md5 some time soon.
If you don't trust the security team, you probably shouldn't install
security updates
On Thu, Jun 14, 2007 at 11:37:33AM +0200, Steffen Schulz wrote:
On 070614 at 00:00, Michael Stone wrote:
On Wed, Jun 13, 2007 at 11:14:15PM +0200, Steffen Schulz wrote:
http://www.cits.rub.de/MD5Collisions/
One example how to create two files with same hash that act
differently. Should work
On 070614 at 13:40, Michael Stone wrote:
So every maintainer could distribute nice binaries and then inject
malicious packets to certain targets.
Every maintainer can do that without dicking around with md5 collisions.
Not as good. The chances of detection grow with the install base.
If you
* Henrique de Moraes Holschuh:
On Tue, 12 Jun 2007, Touko Korpela wrote:
Debian Security Advisories currently contain MD5 checksums. As MD5 is no
longer strong enough, maybe it should be replaced by SHA1 or SHA256?
When combined with size information
Size information doesn't buy you that
On Wed, 13 Jun 2007, Florian Weimer wrote:
On Tue, 12 Jun 2007, Touko Korpela wrote:
Debian Security Advisories currently contain MD5 checksums. As MD5 is no
longer strong enough, maybe it should be replaced by SHA1 or SHA256?
When combined with size information
Size information
On Wed, Jun 13, 2007 at 10:37:26AM -0300, Henrique de Moraes Holschuh [EMAIL
PROTECTED] wrote:
On Wed, 13 Jun 2007, Florian Weimer wrote:
On Tue, 12 Jun 2007, Touko Korpela wrote:
Debian Security Advisories currently contain MD5 checksums. As MD5 is no
longer strong enough, maybe it
On Tuesday 12 June 2007 22.41:23 Touko Korpela wrote:
Debian Security Advisories currently contain MD5 checksums. As MD5 is no
longer strong enough, maybe it should be replaced by SHA1 or SHA256?
Strong enough for what?
You can get an md5 collision quite easily, but is 2nd preimage also
Mike Hommey wrote:
On Wed, Jun 13, 2007 at 10:37:26AM -0300, Henrique de Moraes Holschuh [EMAIL
PROTECTED] wrote:
On Wed, 13 Jun 2007, Florian Weimer wrote:
On Tue, 12 Jun 2007, Touko Korpela wrote:
Debian Security Advisories currently contain MD5 checksums. As MD5 is no
longer strong
* Henrique de Moraes Holschuh:
Size information doesn't buy you that much.
When we are talking about a binary blob that matches the *same* md5sum? Yes,
it does. Causing a MD5 colision with a message of the same size is far more
difficult.
Oh, in this case, please show us a collision of two
On 070613 at 10:43, Florian Weimer wrote:
AND the fact that it needs to be a valid .deb archive, they are
probably more than strong enough.
This is actually not much of a problem:
http://www.cits.rub.de/MD5Collisions/
One example how to create two files with same hash that act
differently.
On Wed, Jun 13, 2007 at 11:14:15PM +0200, Steffen Schulz wrote:
On 070613 at 10:43, Florian Weimer wrote:
AND the fact that it needs to be a valid .deb archive, they are
probably more than strong enough.
This is actually not much of a problem:
http://www.cits.rub.de/MD5Collisions/
One
On Tue, Jun 12, 2007 at 07:39:38PM -0400, Joey Hess wrote:
Bernd Eckenfels wrote:
Because open source is all about choice.
So it's there because of a platitude?
There might be admins using dpkg -i
or security officers who build their local mirrors manually.
Then why don't we include
Debian Security Advisories currently contain MD5 checksums. As MD5 is no
longer strong enough, maybe it should be replaced by SHA1 or SHA256?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
On Tue, 12 Jun 2007, Touko Korpela wrote:
Debian Security Advisories currently contain MD5 checksums. As MD5 is no
longer strong enough, maybe it should be replaced by SHA1 or SHA256?
When combined with size information AND the fact that it needs to be a valid
.deb archive, they are probably
Touko Korpela wrote:
Debian Security Advisories currently contain MD5 checksums. As MD5 is no
longer strong enough, maybe it should be replaced by SHA1 or SHA256?
I don't understand why DSAs for etch include md5sums and manual upgrade
instructions at all. Apt can verify the checksum and gpg
On Wed, Jun 13, 2007 at 12:40:41AM +0200, Bernd Eckenfels wrote:
In article [EMAIL PROTECTED] you wrote:
I don't understand why DSAs for etch include md5sums and manual upgrade
instructions at all. Apt can verify the checksum and gpg signature and
handle the upgrade after all, and probably
Bernd Eckenfels wrote:
Because open source is all about choice.
So it's there because of a platitude?
There might be admins using dpkg -i
or security officers who build their local mirrors manually.
Then why don't we include md5sums and wget commands for all packages in
stable point release
21 matches
Mail list logo