[pacman-dev] GPG work

Aaron Griffin aaronmgriffin at gmail.com
Mon Dec 8 11:36:13 EST 2008

On Mon, Dec 8, 2008 at 9:00 AM, Loui Chang <louipc.ist at gmail.com> wrote:
> On Mon, Dec 08, 2008 at 07:08:20AM -0600, Dan McGee wrote:
>> We sign *packages*, not repositories. Will this damn thing about MD5
>> please die? "Fixing" that still fixes nothing, and I'll pay one
>> million USD to someone that can actually forge a package with a given
>> MD5.
> Hah hah! I have my work ahead of me!

Forcing md5sum collisions requires arbitrary null padding. tar can (I
think) support this, but not if it's compressed. You can't arbitrarily
put nulls in the middle of a gzip'd stream...

More information about the pacman-dev mailing list