-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Sunday 2007-04-08 at 23:43 -0700, David Brodbeck wrote: > Ryouga Hibiki wrote: > > PS: Unless you know that there's a way to change a package without > > modifying the integrity of these (MD5SUM), is that possible? > > I *think* it's been shown that it's possible to create two different > files that have the same MD5 checksum. Curious! I was thinking of that the other day while falling sleep. It is obviously possible: if it weren't, then we could use the checksum instead of the original file as a brutally effective compression technique. There will be then several (many?) files of the same size having the same checksum. > Exploiting this would require > creating a *meaningful* file with the same checksum as the original, > though, which is much more difficult. Not knowing the in depth mathematical analysis of checksums, my educated guess is that a checksum protects against the chance corruption of a file in transmission, affecting one or many, but not all, of its bytes. It will not protect against the deliberate attempt to generate a file of the same size and checksum; but generating one such file that is a valid file of the same format I imagine could be an herculean task. In the case of the SuSE iso images, the task would be terrible difficult: each rpm inside the iso has also checksums, plus a pgp signature. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGGf5dtTMYHG2NR9URAuysAKCMl9zILcGYrrmrS3HDS/OoM8FAaQCeOOD+ yBdiXBGKKBLNLZq2j+gqGso= =lSj3 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]