Re: [arch-general] Packages Verified with MD5

2014-01-14 Thread Eduardo Machado
2014/1/12 Taylor Hornby > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 01/12/2014 01:56 PM, Kyle Terrien wrote: > > On 01/12/2014 12:40 PM, Taylor Hornby wrote: > >>> I guess I just don't understand what happens when I type > >>> "pacman -S firefox." Does that run the PKGBUILD on my sys

Re: [arch-general] Packages Verified with MD5

2014-01-13 Thread Taylor Hornby
On 01/13/2014 02:49 AM, Rashif Ray Rahman wrote: > On 13 January 2014 00:58, Taylor Hornby wrote: >> > If so, this should be fixed as soon as possible. How feasible would it >> > be? Could it be as simple as making a script that: >> > >> > 1. Finds the 'source' and 'md5sums' lines. >> > 2. Downloa

Re: [arch-general] Packages Verified with MD5

2014-01-13 Thread Rashif Ray Rahman
On 13 January 2014 00:58, Taylor Hornby wrote: > If so, this should be fixed as soon as possible. How feasible would it > be? Could it be as simple as making a script that: > > 1. Finds the 'source' and 'md5sums' lines. > 2. Downloads the packages and checks the md5sums. > 3. Computes the SHA256su

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Kyle Terrien
On 01/12/2014 01:13 PM, Taylor Hornby wrote: > Thank you, that makes so much more sense! > > So, really, the vulnerability only exists while the Arch dev (or > package maintainer or whatever they're called) is building the > package. Once they do, and sign it, all Arch users will verify their > si

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Mark Lee
On Sun, 2014-01-12 at 16:37 -0500, Mark Lee wrote: > On Sun, 2014-01-12 at 16:29 -0500, Mark Lee wrote: > > On Sun, 2014-01-12 at 11:29 -0700, Taylor Hornby wrote: > > > On 01/12/2014 10:11 AM, Mark Lee wrote: > > > > Perhaps I'm not strong enough in mathematics but I'd like to know how > > > > pos

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Mark Lee
On Sun, 2014-01-12 at 16:29 -0500, Mark Lee wrote: > On Sun, 2014-01-12 at 11:29 -0700, Taylor Hornby wrote: > > On 01/12/2014 10:11 AM, Mark Lee wrote: > > > Perhaps I'm not strong enough in mathematics but I'd like to know how > > > possible md5 collisions can be weaponized. From what I see, the

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Mark Lee
On Sun, 2014-01-12 at 11:29 -0700, Taylor Hornby wrote: > On 01/12/2014 10:11 AM, Mark Lee wrote: > > Perhaps I'm not strong enough in mathematics but I'd like to know how > > possible md5 collisions can be weaponized. From what I see, the idea > > would be to modify a binary such that it contains

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Taylor Hornby
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/12/2014 01:56 PM, Kyle Terrien wrote: > On 01/12/2014 12:40 PM, Taylor Hornby wrote: >>> I guess I just don't understand what happens when I type >>> "pacman -S firefox." Does that run the PKGBUILD on my system, >>> or does it download and instal

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Anatol Pomozov
Hi, I believe the topic stater has concerns about weakness of the MD5 hash algorithm. He suggests to deprecate md5sums=() and use cryptographic hash algorithm like SHA256. Personally I avoid MD5 in my packages because of its bad reputation. But I am not an crypto expert though. > I have been ass

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Kyle Terrien
On 01/12/2014 12:40 PM, Taylor Hornby wrote: > I guess I just don't understand what happens when I type "pacman -S > firefox." Does that run the PKGBUILD on my system, or does it download > and install pre-compiled (and signed) Firefox binaries that were > created by one of the Arch developers usin

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Karol Blazewicz
On Sun, Jan 12, 2014 at 9:40 PM, Taylor Hornby wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 01/12/2014 10:27 AM, Jelle van der Waa wrote: >> No, you don't rely on hashes for security, hashes are for >> integrity checks. Signatures are for the verification of a file or >> message

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Taylor Hornby
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/12/2014 10:27 AM, Jelle van der Waa wrote: > No, you don't rely on hashes for security, hashes are for > integrity checks. Signatures are for the verification of a file or > message, since anyone can replace the hash on the server and upload > a

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Никола Вукосављевић
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12.1.2014 19:29, Taylor Hornby wrote: > On 01/12/2014 10:11 AM, Mark Lee wrote: >> Perhaps I'm not strong enough in mathematics but I'd like to know >> how possible md5 collisions can be weaponized. From what I see, >> the idea would be to modify a

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Taylor Hornby
On 01/12/2014 10:11 AM, Mark Lee wrote: > Perhaps I'm not strong enough in mathematics but I'd like to know how > possible md5 collisions can be weaponized. From what I see, the idea > would be to modify a binary such that it contains malicious code > (without changing the md5sum). Since most secur

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Jelle van der Waa
On 01/12/14 at 09:58am, Taylor Hornby wrote: > On 01/12/2014 02:58 AM, Rashif Ray Rahman wrote: > > On 12 January 2014 14:09, Taylor Hornby wrote: > >> Are there other packages still being verified with MD5? Can we fix them > >> too? I'll gladly donate my time if it's not something that can be >

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Mark Lee
On Sat, 2014-01-11 at 23:09 -0700, Taylor Hornby wrote: > I noticed that the TrueCrypt package is downloaded over an insecure FTP > connection and then only verified using MD5 hashes. > > https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/truecrypt > > There are p

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Leonid Isaev
On Sun, 12 Jan 2014 09:30:04 -0700 Taylor Hornby wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 01/12/2014 02:21 AM, Jelle van der Waa wrote: > > SHA256 hashes won't fix anything, since hashes are only integritiy > > checks telling you the downloaded file isn't corrupt. > > Rig

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Taylor Hornby
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/12/2014 09:30 AM, Taylor Hornby wrote: > The .sig file on the FTP server is the same one you can download > from the TrueCrypt website. If it's used to verify the packages, > the client needs a secure way to get the TrueCrypt Foundation's > publi

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Taylor Hornby
On 01/12/2014 02:58 AM, Rashif Ray Rahman wrote: > On 12 January 2014 14:09, Taylor Hornby wrote: >> Are there other packages still being verified with MD5? Can we fix them >> too? I'll gladly donate my time if it's not something that can be automated. > > Of the 4890 base packages shown by ABS,

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Taylor Hornby
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/12/2014 02:21 AM, Jelle van der Waa wrote: > SHA256 hashes won't fix anything, since hashes are only integritiy > checks telling you the downloaded file isn't corrupt. Right. I assumed it was the PKGBUILD that was signed and verified, then it wa

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread sehraf
Am 12.01.2014 10:21, schrieb Jelle van der Waa: > On 01/11/14 at 11:09pm, Taylor Hornby wrote: >> ... > SHA256 hashes won't fix anything, since hashes are only integritiy checks > telling you the downloaded file isn't corrupt. > > Signatures however are made to verify that the content isn't modif

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Rashif Ray Rahman
On 12 January 2014 14:09, Taylor Hornby wrote: > Are there other packages still being verified with MD5? Can we fix them > too? I'll gladly donate my time if it's not something that can be automated. Of the 4890 base packages shown by ABS, 2988 are MD5-only. That is 61%, or more than half. -- G

Re: [arch-general] Packages Verified with MD5

2014-01-12 Thread Jelle van der Waa
On 01/11/14 at 11:09pm, Taylor Hornby wrote: > I noticed that the TrueCrypt package is downloaded over an insecure FTP > connection and then only verified using MD5 hashes. > > https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/truecrypt > > There are practical co

[arch-general] Packages Verified with MD5

2014-01-11 Thread Taylor Hornby
I noticed that the TrueCrypt package is downloaded over an insecure FTP connection and then only verified using MD5 hashes. https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/truecrypt There are practical collision attacks against MD5. This means an adversary (e.g