On Wed, 16 Mar 2005, Peter Conrad wrote: > Hi, > > On Wed, Mar 16, 2005 at 12:26:30PM +0600, Ivan Boldyrev wrote: > > > > Tom Lord merges sexy patch. Even if he will re-sign patch, > > MD5 sum in ./checksum will be same because *.patches.tar.gz is same. > > this is wrong. If Tom merges your patch, he will automatically create > additional log entries in his own branch. This (among other things, like > changed timestamps) will lead to a file with a different MD5 sum.
I'm afraid the whole message is a bit different: hack the mirror, hack the patch while keeping MD5 intack and let your attack to software X spread thorough the world. I've just now looked at tla and baz and found that at least mirror on: http://bazaar.canonical.com/archives/[EMAIL PROTECTED]/ uses also SHA-1 hashes. Since SHA-1 is also considered weak these days, this does not add that much security, but certainly at least something before arch move to some more secure hash implementation. Cheers, Karel -- Karel Gardas [EMAIL PROTECTED] ObjectSecurity Ltd. http://www.objectsecurity.com _______________________________________________ Gnu-arch-users mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnu-arch-users GNU arch home page: http://savannah.gnu.org/projects/gnu-arch/
