On Wed, Mar 16, 2005 at 10:54:52AM +0000, Bruce Stephens wrote:
> Ivan Boldyrev <[EMAIL PROTECTED]> writes:
>
> [...]
>
> > Attackers creates some sexy patch for TLA (for example, support of
> > multiple hashes from libgcrypt). Then I create another patch that
> > stoles gpg passwords that people type when using signed archives.
> >
> > Two patches with same MD5 signature. Quotation from paper of Czech
> > scientist:
>
> Maybe you could do that, but remember these are collisions of things
> which have to be carefully constructed.
>
> Anyway, hashes in Arch are about detecting unexpected modifications
> due to random breakage. If you really care about patches you'd sign
> them, wouldn't you?
Have you noticed, that it's THE HASH that gets signed?!?!
--------------------------------------------------------------------------------
- Jan Hudec `Bulb' <[EMAIL
PROTECTED]>
_______________________________________________
Gnu-arch-users mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/gnu-arch-users
GNU arch home page:
http://savannah.gnu.org/projects/gnu-arch/
