On Sun, Aug 02, 2015 at 10:47:44PM +0200, Vincent Lefevre wrote: > On 2015-08-02 11:45:38 -0700, Russ Allbery wrote: > > There were a few long messages to this thread that I didn't absorb in > > their entirety, so apologies if this is a repeat. But another angle of > > this is that the discussion is about using lzip *for Debian packages*. In > > that context, being tolerant of appended data, or *any* other form of > > modification to the file, is basically pointless. > > I don't think that it is pointless. I would say that it must *not* > be tolerant to appended data, because... > > > Debian packages are > > authenticated and protected via cryptographic signatures, which will not > > match if there are any changes at all to the file, even appending a nul > > byte. And if the signature doesn't verify, one should treat the package > > with extreme suspicion, and certainly should not be installing it on a > > system except in a very controlled environment for investigative purposes. > > The purpose of adding garbage could be to make a modified tarball > match the signature. Of course, this would mean that the system > would no longer be crytographically safe in general, but it might > still be safe for some class of files with a fixed structure, such > as xz. And not every one would render a vulnerability public... > So, it is safer not to accept garbage when decoding.
As soon as someone can generate hash collisions we're screwed anyway. Regards, David -- /) David Weinehall <t...@debian.org> /) Rime on my window (\ // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ // Diamond-white roses of fire // \) http://www.acc.umu.se/~tao/ (/ Beautiful hoar-frost (/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150806183957.gd27...@suiko.acc.umu.se
