2014/1/12 Taylor Hornby
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 01/12/2014 01:56 PM, Kyle Terrien wrote:
> > On 01/12/2014 12:40 PM, Taylor Hornby wrote:
> >>> I guess I just don't understand what happens when I type
> >>> "pacman -S firefox." Does that run the PKGBUILD on my sys
On 01/13/2014 02:49 AM, Rashif Ray Rahman wrote:
> On 13 January 2014 00:58, Taylor Hornby wrote:
>> > If so, this should be fixed as soon as possible. How feasible would it
>> > be? Could it be as simple as making a script that:
>> >
>> > 1. Finds the 'source' and 'md5sums' lines.
>> > 2. Downloa
On 13 January 2014 00:58, Taylor Hornby wrote:
> If so, this should be fixed as soon as possible. How feasible would it
> be? Could it be as simple as making a script that:
>
> 1. Finds the 'source' and 'md5sums' lines.
> 2. Downloads the packages and checks the md5sums.
> 3. Computes the SHA256su
On 01/12/2014 01:13 PM, Taylor Hornby wrote:
> Thank you, that makes so much more sense!
>
> So, really, the vulnerability only exists while the Arch dev (or
> package maintainer or whatever they're called) is building the
> package. Once they do, and sign it, all Arch users will verify their
> si
On Sun, 2014-01-12 at 16:37 -0500, Mark Lee wrote:
> On Sun, 2014-01-12 at 16:29 -0500, Mark Lee wrote:
> > On Sun, 2014-01-12 at 11:29 -0700, Taylor Hornby wrote:
> > > On 01/12/2014 10:11 AM, Mark Lee wrote:
> > > > Perhaps I'm not strong enough in mathematics but I'd like to know how
> > > > pos
On Sun, 2014-01-12 at 16:29 -0500, Mark Lee wrote:
> On Sun, 2014-01-12 at 11:29 -0700, Taylor Hornby wrote:
> > On 01/12/2014 10:11 AM, Mark Lee wrote:
> > > Perhaps I'm not strong enough in mathematics but I'd like to know how
> > > possible md5 collisions can be weaponized. From what I see, the
On Sun, 2014-01-12 at 11:29 -0700, Taylor Hornby wrote:
> On 01/12/2014 10:11 AM, Mark Lee wrote:
> > Perhaps I'm not strong enough in mathematics but I'd like to know how
> > possible md5 collisions can be weaponized. From what I see, the idea
> > would be to modify a binary such that it contains
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/12/2014 01:56 PM, Kyle Terrien wrote:
> On 01/12/2014 12:40 PM, Taylor Hornby wrote:
>>> I guess I just don't understand what happens when I type
>>> "pacman -S firefox." Does that run the PKGBUILD on my system,
>>> or does it download and instal
Hi,
I believe the topic stater has concerns about weakness of the MD5 hash
algorithm. He suggests to deprecate md5sums=() and use cryptographic
hash algorithm like SHA256. Personally I avoid MD5 in my packages
because of its bad reputation. But I am not an crypto expert though.
> I have been ass
On 01/12/2014 12:40 PM, Taylor Hornby wrote:
> I guess I just don't understand what happens when I type "pacman -S
> firefox." Does that run the PKGBUILD on my system, or does it download
> and install pre-compiled (and signed) Firefox binaries that were
> created by one of the Arch developers usin
On Sun, Jan 12, 2014 at 9:40 PM, Taylor Hornby wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 01/12/2014 10:27 AM, Jelle van der Waa wrote:
>> No, you don't rely on hashes for security, hashes are for
>> integrity checks. Signatures are for the verification of a file or
>> message
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/12/2014 10:27 AM, Jelle van der Waa wrote:
> No, you don't rely on hashes for security, hashes are for
> integrity checks. Signatures are for the verification of a file or
> message, since anyone can replace the hash on the server and upload
> a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12.1.2014 19:29, Taylor Hornby wrote:
> On 01/12/2014 10:11 AM, Mark Lee wrote:
>> Perhaps I'm not strong enough in mathematics but I'd like to know
>> how possible md5 collisions can be weaponized. From what I see,
>> the idea would be to modify a
On 01/12/2014 10:11 AM, Mark Lee wrote:
> Perhaps I'm not strong enough in mathematics but I'd like to know how
> possible md5 collisions can be weaponized. From what I see, the idea
> would be to modify a binary such that it contains malicious code
> (without changing the md5sum). Since most secur
On 01/12/14 at 09:58am, Taylor Hornby wrote:
> On 01/12/2014 02:58 AM, Rashif Ray Rahman wrote:
> > On 12 January 2014 14:09, Taylor Hornby wrote:
> >> Are there other packages still being verified with MD5? Can we fix them
> >> too? I'll gladly donate my time if it's not something that can be
>
On Sat, 2014-01-11 at 23:09 -0700, Taylor Hornby wrote:
> I noticed that the TrueCrypt package is downloaded over an insecure FTP
> connection and then only verified using MD5 hashes.
>
> https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/truecrypt
>
> There are p
On Sun, 12 Jan 2014 09:30:04 -0700
Taylor Hornby wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 01/12/2014 02:21 AM, Jelle van der Waa wrote:
> > SHA256 hashes won't fix anything, since hashes are only integritiy
> > checks telling you the downloaded file isn't corrupt.
>
> Rig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/12/2014 09:30 AM, Taylor Hornby wrote:
> The .sig file on the FTP server is the same one you can download
> from the TrueCrypt website. If it's used to verify the packages,
> the client needs a secure way to get the TrueCrypt Foundation's
> publi
On 01/12/2014 02:58 AM, Rashif Ray Rahman wrote:
> On 12 January 2014 14:09, Taylor Hornby wrote:
>> Are there other packages still being verified with MD5? Can we fix them
>> too? I'll gladly donate my time if it's not something that can be automated.
>
> Of the 4890 base packages shown by ABS,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/12/2014 02:21 AM, Jelle van der Waa wrote:
> SHA256 hashes won't fix anything, since hashes are only integritiy
> checks telling you the downloaded file isn't corrupt.
Right. I assumed it was the PKGBUILD that was signed and verified,
then it wa
Am 12.01.2014 10:21, schrieb Jelle van der Waa:
> On 01/11/14 at 11:09pm, Taylor Hornby wrote:
>> ...
> SHA256 hashes won't fix anything, since hashes are only integritiy checks
> telling you the downloaded file isn't corrupt.
>
> Signatures however are made to verify that the content isn't modif
On 12 January 2014 14:09, Taylor Hornby wrote:
> Are there other packages still being verified with MD5? Can we fix them
> too? I'll gladly donate my time if it's not something that can be automated.
Of the 4890 base packages shown by ABS, 2988 are MD5-only. That is
61%, or more than half.
--
G
On 01/11/14 at 11:09pm, Taylor Hornby wrote:
> I noticed that the TrueCrypt package is downloaded over an insecure FTP
> connection and then only verified using MD5 hashes.
>
> https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/truecrypt
>
> There are practical co
I noticed that the TrueCrypt package is downloaded over an insecure FTP
connection and then only verified using MD5 hashes.
https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/truecrypt
There are practical collision attacks against MD5. This means an
adversary (e.g
24 matches
Mail list logo
