On Mon, Jan 12, 2009 at 6:06 PM, Jeff Mickey <jeff@archlinux.org> wrote:
It's pretty far out there. Not to mention I've put sha1 and md5 in a lot of my packages, and I haven't heard of any attacks working against both algorithms to create a buildable malicious executable. And even if that wild and unresearched assumption of using two hashes is wrong, it doesn't matter. Anyone who wanted to do real harm would look at the binary packages we ship, skipping all the above effort.
I don't think it's that far out there...md5 has been known to be vulnerable since 2005 (theorized long before that), and it is possible to create completely different files with the same hash: http://www.mscs.dal.ca/~selinger/md5collision/ SHA-1 is also broken (also for a while now: http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html), but you're right, using them both does give you some protection. The problem is (which was the point of my original email), unless the users have both checksum types set in their makepkg.conf file, then the verification process of makepkg will show a warning even if both of the checksums are valid. That has been fixed, and I'm merely pointing out that it would be painless to move to a currently secure hash going forward. Like you said, since source is not downloaded directly from us (meaning we can't control it), being as protected as possible on our side of things will help if any one of our upstream providers does happen to get hacked. That's why I think you should care. It's true that some day we might have to move to Skein or whatever algorithm NIST decides will be the new SHA-3 standard, but that's just the way things are. -- Aaron "ElasticDog" Schaefer