[pacman-dev] [PATCH] Remove support for SHA1 from pacman.
Andrew Fyfe
andrew at neptune-one.net
Thu Aug 16 02:52:40 EDT 2007
Aaron Griffin wrote:
> On 8/15/07, Dan McGee <dpmcgee at gmail.com> wrote:
>> What I really want to hear are thoughts on this issue. We are using
>> md5sums for two main reasons- verification of package downloads, and
>> determining whether a backup file has changed. With this in mind, I
>> think md5 is sufficient to serve our needs.
>>
>> Please chime in on this.
>
> There is some history on this somewhere in these list archives. I'll
> summarize my views because I don't want to figure out what thread that
> was.
>
> a) The "md5 is insecure" argument doesn't hold water with archive
> formats. Reproducing an md5sum with a malicious file requires that the
> original file format supports null padding. All of the examples I've
> seen used ps files as you can embed null padding to fluff the md5sum.
> In our case, if you add some padding, it suddenly becomes a corrupt
> archive. Corrupt archives are already checked for before extraction,
> so if the md5sum matches AND it's corrupt, it's either a packager's
> error, or malicious.
> b) We are not using md5 for security. We are using it for integrity.
> These are two totally different things. Instead of saying "I don't
> trust you Mr Mirror", we're saying "I trust the DB file is correct,
> did this download ok". See now there's a subtle problem with this
> point. If we want to implicitly trust the DB files, then we need to
> ensure where they come from. DB files on mirrors might not be
> "trustable". /me shrugs
>
> But my opinions is thus: md5 is faster than sha1, and we're just
> ensuring that we downloaded the file exactly as the server told us to.
> We are not guaranteeing that it is super-duper secure. If we wanted
> that, we'd sign packages. I vote md5
>
> _______________________________________________
> pacman-dev mailing list
> pacman-dev at archlinux.org
> http://archlinux.org/mailman/listinfo/pacman-dev
+1 here
I've made a few tweaks to the patch...
http://neptune-one.homeip.net/git?p=pacman;a=shortlog;h=ready_to_pull
Andrew
More information about the pacman-dev
mailing list