[arch-dev-public] Can we trust our mirrors?
thomas at archlinux.org
Sat Nov 29 09:00:20 EST 2008
Pierre Schmitz schrieb:
> The simplest solution would be if we sign the db files (automatically) on
> gerolde. Of course this is less secure than signing every single package by
> its packager; but on the other side it would be easy to implement and there
> would be no overhead for packagers.
If this is to provide any security, we need to stop using md5! md5 is
okay when trying to detect corrupted downloads, however it is possible
to find collisions and thus build a "bad" package that has the same md5
as the good package.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 260 bytes
Desc: OpenPGP digital signature
More information about the arch-dev-public