[pacman-dev] MD5/SHA* why?
Jeff Mickey
jeff at archlinux.org
Tue Jul 3 16:02:25 EDT 2007
On 7/3/07, Mateusz Jedrasik <m.jedrasik at gmail.com> wrote:
> Tuesday 03 of July 2007 21:40:17 Andrew Fyfe napisał(a):
> > I asked this question a while ago about makepkg now I'm asking about
> > pacman... why do we need support for multiple checksum types? What's
> > wrong with md5?
The problem with MD5 (and recently SHA1) is that you can find
collisions relatively quickly on a powerful machine (under a day in
some cases). Thus if you found the correct collision that actually
was a valid tarball, that had valid files in it, and one of those
files had something malicious in it, you would be in trouble. I mean,
the chances are close to zero, but md5 has gotten a lot of press on
how "crackable" it is. SHA1 is crackable as well, thought not as
easily.
Now put BOTH sums in your PKGBUILD. Now some third party would have
to find all the collisions for MD5 and SHA1, make sure they create the
same sums as those in the package, and then they would have to see if
that was even any data that could be used for something malicious.
I suggest using both MD5 and SHA1. I seriously doubt there is a
single situation where this would not be enough for validating the
package.
Though I think we should move to signing our packages, so we actually
have security along with validation...
// codemac
--
. : [ + carpe diem totus tuus + ] : .
More information about the pacman-dev
mailing list