On 01/12/14 at 09:58am, Taylor Hornby wrote:
On 01/12/2014 02:58 AM, Rashif Ray Rahman wrote:
On 12 January 2014 14:09, Taylor Hornby <havoc@defuse.ca> wrote:
Are there other packages still being verified with MD5? Can we fix them too? I'll gladly donate my time if it's not something that can be automated.
Of the 4890 base packages shown by ABS, 2988 are MD5-only. That is 61%, or more than half.
Wow, that's quite a lot.
Do I understand correctly that the hashes are relied on for security? In other words, is it the package (containing the PKGBUILD) that's signed, and once it's verified, it's the PKGBUILD's responsibility to check the integrity of the files it needs?
If so, this should be fixed as soon as possible. How feasible would it be? Could it be as simple as making a script that:
1. Finds the 'source' and 'md5sums' lines. 2. Downloads the packages and checks the md5sums. 3. Computes the SHA256sums, and adds them to the file.
If there's anything I can do to help, let me know.
-- Taylor Hornby
No, you don't rely on hashes for security, hashes are for integrity checks. Signatures are for the verification of a file or message, since anyone can replace the hash on the server and upload a new tarball. Signatures can only be created by the developers private key, it hashes a file or messages, then encrypts this hash with his private key. Then the developer puts the signature and tarball on a server. Everyone who has somehow obtained the developers public key, can verify that the tarball hasn't been tampered with by creating a hash from the tarball and comparing it with the decrypted signature (original hash). If a hacker uploaded a malicious tarball, he would be able to create a new hash, but wouldn't be able to create a new valid signature. PS: the explanation of signing isn't exactly correct, since I didn't explain that there hash is actually not encrypted with the private key. A nice explanation of PGP can be found here: http://www.pgpi.org/doc/pgpintro/ PS2: You may raise more concerns about the truecrypts code. http://istruecryptauditedyet.com/ -- Jelle van der Waa