[arch-general] [arch-dev-public] Can we trust our mirrors?
Gerhard Brauer
gerhard.brauer at web.de
Sat Nov 29 09:19:58 EST 2008
Am Sat, 29 Nov 2008 15:00:20 +0100
schrieb Thomas Bächler <thomas at archlinux.org>:
> Pierre Schmitz schrieb:
> > The simplest solution would be if we sign the db files
> > (automatically) on gerolde. Of course this is less secure than
> > signing every single package by its packager; but on the other side
> > it would be easy to implement and there would be no overhead for
> > packagers.
>
> If this is to provide any security, we need to stop using md5! md5 is
> okay when trying to detect corrupted downloads, however it is
> possible to find collisions and thus build a "bad" package that has
> the same md5 as the good package.
For myself i don't accept the "md5sum is bad" argument as a "stopper"
for each idea to provide a pacman secure concept ;-)
Current situation is:
Everyone who offers a mirror could provide a manipulated pacman or bash
package. He could reduce the content of a binaray to a simple rm -rf,
fdisk or something. He only has to tar "his" package and edit the
core.db.tar,gz
If we sign our db files as a minimum! security:
This would make package manipulating more difficult. Content changes of
pacman or bash packages (*.pkg.tar.gz) with getting the same md5sum or
sha checksum is surely not impossible - but much more difficult as in
our current situation.
So let's mak a first step!
Gerhard
>
More information about the arch-general
mailing list