On Wed, 30 Dec 2015 19:38:35 +0100 Björn Persson <bj...@xn--rombobjrn-67a.se> wrote:
> Tim Lauridsen wrote: > > How do i handle a situation where someone, without my knowledge > > uploads new sources to one of my projects. It could be a security > > problem ? > > While I trust that Francesco had only good intentions, the general > question remains: Is it possible to modify a package without commit > access by uploading a modified source tarball to the lookaside cache? Not that I can see. > Without commit access to Git the attacker couldn't edit the sources > file, so – assuming that everything that uses the lookaside cache > bothers to verify the checksum – the attacker would have to forge a > tarball that has the same MD5 hash as the original. That is an attack > on the second-preimage resistance of MD5. I don't think even that would work, as you cannot upload new sources with the same md5sum as an existing upload. It would just tell you it's already uploaded. > Practical collision attacks on MD5 have existed for more than a > decade, but to the best of my knowledge no practical second-preimage > attack is known yet. Thus it's probably not practically possible to > do this at this time, except maybe to certain well-funded government > agencies around the world, who may have made further advances > attacking MD5 than the open cryptographic community has. > > But still, why are we still using MD5? It's being worked on, we just haven't gotten there yet... See: https://fedorahosted.org/rel-eng/ticket/5846 kevin
pgp0Brr91AvX8.pgp
Description: OpenPGP digital signature
-- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
