I'm not so sure. It's true that the known attacks are collision attacks. Yet, collision attacks can be used to mount data-integrity attacks that replace specific files in archives, at least, with the trick at http://eprint.iacr.org/2004/356.pdf. That depends on having the colliding blocks happen to have enough bytes in them that the choice of colliding block functions as a jump table for a self-extracting archive. It obviously doesn't directly map to a .dsc.
Generally people regard it as dead as soon as collisions are *found *even if nobody knows how to generate them. (Note that in the paper I cite above, they simply used the colliding blocks published by the original Chinese researchers, who at the time had not made public their strategy for finding collisions.) Someone interested in pwning md5 could well have built an extremely large library of colliding blocks by now, including with ones that look like tar headers and the like. I'm just not so confident. On Fri, Jan 11, 2013 at 3:22 PM, William Grant <m...@williamgrant.id.au>wrote: > This needs fixing in apt-ftparchive before Launchpad can do anything. > > Also, MD5 collisions aren't hugely concerning here. It's a preimage that > would be more of a problem, and there's no serious preimage attack known > on MD5 today. I agree that this isn't a good situation, but it's not > "everything is broken with a few hours of computation" bad. > > ** Also affects: apt (Ubuntu) > Importance: Undecided > Status: New > > -- > You received this bug notification because you are a member of Goobuntu > Team, which is subscribed to the bug report. > https://bugs.launchpad.net/bugs/1078697 > > Title: > Ubuntu archive is missing SHA-1/SHA-256 hashes for some packages > > Status in Launchpad itself: > Triaged > Status in “apt” package in Ubuntu: > New > > Bug description: > As part of the Debian derivatives census, we are doing some checks on > all derivatives. We noticed that a number of source packages are missing > SHA-1/SHA-256 hashes. You may have inherited this issue from Debian, we > had the same issue until recently. Here are some sample messages from > the report below, which is generated daily. > > WARNING: source cvstrac 2.0.1-3: SHA-256 hashes but no hash for the dsc > file > WARNING: source cvstrac 2.0.1-3: SHA-1 hashes but no hash for the dsc > file > WARNING: source diveintopython 5.4-2ubuntu2: no SHA-256 hash > WARNING: source diveintopython 5.4-2ubuntu2: no SHA-1 hash > > http://dex.alioth.debian.org/census/Ubuntu/check-package-list > > Please ignore the warnings about GPG and InRelease stuff, they are due > to python-apt not supporting some things in Debian squeeze. > > affects launchpad > subscribe ubuntu-archive > > -- > bye, > pabs > > http://wiki.debian.org/PaulWise > > To manage notifications about this bug go to: > https://bugs.launchpad.net/launchpad/+bug/1078697/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1078697 Title: Ubuntu archive is missing SHA-1/SHA-256 hashes for some packages To manage notifications about this bug go to: https://bugs.launchpad.net/launchpad/+bug/1078697/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
