[arch-dev-public] Can we trust our mirrors?

Thomas Bächler thomas at archlinux.org
Sat Nov 29 09:00:20 EST 2008


Pierre Schmitz schrieb:
> The simplest solution would be if we sign the db files (automatically) on
> gerolde. Of course this is less secure than signing every single package by
> its packager; but on the other side it would be easy to implement and there
> would be no overhead for packagers.

If this is to provide any security, we need to stop using md5! md5 is 
okay when trying to detect corrupted downloads, however it is possible 
to find collisions and thus build a "bad" package that has the same md5 
as the good package.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://archlinux.org/pipermail/arch-dev-public/attachments/20081129/2c19b6a6/attachment.pgp>


More information about the arch-dev-public mailing list