On Tue 2019-10-22 23:03:49 +0200, Thomas Schmitt wrote: > It does so for cross-table key matching, where MD5 suffices by all means > of hash table theory.
I'm unaware of the meaning of "cross-table key matching", but it's known
to be relatively easy to find collisions in MD5.
If the adversary can convince any DD to upload an obviously harmless
package of the adversary's choice into the archive, then the adversary
can also craft another package with a matching MD5sum.
As a DD, i don't want my signature authorizing a specific upload to be
used to distribute some other file to our users.
> There is bug #887837 where i propose to add a reminder message at the end
> of the jigdo-lite run.
You probably don't mean it this way, but this sounds it will make what
should be the software author's problem into the user's problem. i
think we should be more user-friendly than that. I've followed up on
that bug report separately.
> Debian could really need a end-user comprehensable description of the
> credible verification from GPG to SHA512 to ISO. This is completely
> independent of jigdo and applies to all download methods for ISOs.
I agree that this kind of separate documentation would be great to have,
and is independent of this bug report.
Thanks for your attention to (and efforts on behalf of) jigdo,
--dkg
signature.asc
Description: PGP signature
