Re: [Gnu-arch-users] Re: MD5 is broken

Matthew Dempsky Wed, 16 Mar 2005 08:10:06 -0800

On Wed, 2005-03-16 at 12:39 +0100, Peter Conrad wrote:
> I understood Ivan's scenario like this:
> 
> 1. attacker creates Patch-A (harmless) and Patch-B (evil) with identical
>    checksums
> 2. attacker submits Patch-A to maintainer
> 3. maintainer integrates Patch-A into software, signing it


This is where your (Ivan's?) scenario is flawed: when the maintainer
integrates patch-A into his archive, he doesn't sign patch-A at all.  He
creates a new patch from the changes made by merging patch-A and signs
*that*.

-- 
Matthew Dempsky <[EMAIL PROTECTED]>

signature.asc
Description: This is a digitally signed message part

_______________________________________________
Gnu-arch-users mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/gnu-arch-users

GNU arch home page:
http://savannah.gnu.org/projects/gnu-arch/

Re: [Gnu-arch-users] Re: MD5 is broken

Reply via email to