Re: [pacman-dev] [PATCH 1/3] Revise siglevel_t, adding PACKAGE_HASH_OK field
This will just require a SHA256 in addition to an MD5 (if one is even present), that's all (for some reason I thought it was more complicated than that, but you're right). MD5s haven't exactly been broken for our purposes (there are no working preimage attacks against MD5 yet), but there is little reason to expect that it will stay this way for much longer. So yeah, scratch the flag and the corresponding config option, but we should also make SHA256 a requirement at some point. -Kerrick Staley On Jul 18, 2011 2:31 AM, "Allan McRae" <allan@archlinux.org> wrote:
On Mon, Jul 18, 2011 at 3:52 AM, Kerrick Staley <mail@kerrickstaley.com> wrote:
This will just require a SHA256 in addition to an MD5 (if one is even present), that's all (for some reason I thought it was more complicated than that, but you're right). MD5s haven't exactly been broken for our purposes (there are no working preimage attacks against MD5 yet), but there is little reason to expect that it will stay this way for much longer. So yeah, scratch the flag and the corresponding config option, but we should also make SHA256 a requirement at some point.
What do you mean by "requirement"? All the tools we ship will provide it, but since we aren't even verifying it yet in pacman code, that will need to be added first. -Dan
On Mon, Jul 18, 2011 at 7:05 PM, Dan McGee <dpmcgee@gmail.com> wrote:
What do you mean by "requirement"? All the tools we ship will provide it, but since we aren't even verifying it yet in pacman code, that will need to be added first.
I meant to say that I think the SHA256 checks should be a part of "what needs to be done before we can consider signing to be fully implementented", that's all. -Kerrick Staley
participants (2)
-
Dan McGee
-
Kerrick Staley