8 Dec
2008
8 Dec
'08
4:36 p.m.
On Mon, Dec 8, 2008 at 9:00 AM, Loui Chang <louipc.ist@gmail.com> wrote:
On Mon, Dec 08, 2008 at 07:08:20AM -0600, Dan McGee wrote:
We sign *packages*, not repositories. Will this damn thing about MD5 please die? "Fixing" that still fixes nothing, and I'll pay one million USD to someone that can actually forge a package with a given MD5.
Hah hah! I have my work ahead of me!
Forcing md5sum collisions requires arbitrary null padding. tar can (I think) support this, but not if it's compressed. You can't arbitrarily put nulls in the middle of a gzip'd stream...