Felipe Figueiredo ([EMAIL PROTECTED]) wrote on 25 October 2008 07:09:
>On Saturday 25 October 2008 00:20:46 Alexander Konovalenko wrote:
>> On Sat, Oct 25, 2008 at 02:33, Kees Cook <[EMAIL PROTECTED]> wrote:
>> > [...]
>> >
>> > Additionally, it doesn't matter -- it's just the md5 in the email
Marcin Owsiany wrote:
>
> It (generating good and bad package with colliding sum) is actually
> easier than one might think. The reason is that you can embed any kind
> of binary blob inside an executable and make the executable behavior
> dependent on the "version" of the blob.
I retract what I
In article <[EMAIL PROTECTED]> you wrote:
> I assume, it's tradition from the times, when only few people
> used apt-get and friends (and many years apt-get did not have
> signature support). A pointer to a "generic" description for
> people who don't want to/cannot use apt-get would be sufficient
* Sjors Gielen:
> Kees Cook wrote:
>> Additionally, it doesn't matter -- it's just the md5 in the email
>> announcement. The Release and Packages files for the archive have SHA1
>> and SHA256. The md5 from the announcement is almost not important,
>> IMO -- no one should download files individua
On Saturday 25 October 2008 09:28:02 W. Martin Borgert wrote:
> On 2008-10-25 07:09, Felipe Figueiredo wrote:
> > Can anyone please explain why that long list of links and filenames is
> > interesting, or point to a link that does?
>
> I assume, it's tradition from the times, when only few people
>
On Fri, Oct 24, 2008 at 03:12:20PM -0500, Raphael Geissert wrote:
> Bas Steendijk wrote:
> >
> > 2 files with a colliding hash can only be made by someone who can
> > influence the creation of the file (thus, someone inside debian). he can
> > make a "good" and a "bad" version of a package with th
On 2008-10-25 07:09, Felipe Figueiredo wrote:
> Can anyone please explain why that long list of links and filenames is
> interesting, or point to a link that does?
I assume, it's tradition from the times, when only few people
used apt-get and friends (and many years apt-get did not have
signature
On Saturday 25 October 2008 00:20:46 Alexander Konovalenko wrote:
> On Sat, Oct 25, 2008 at 02:33, Kees Cook <[EMAIL PROTECTED]> wrote:
> > [...]
> >
> > Additionally, it doesn't matter -- it's just the md5 in the email
> > announcement. The Release and Packages files for the archive have SHA1
> >
On Sat, Oct 25, 2008 at 02:33, Kees Cook <[EMAIL PROTECTED]> wrote:
> [...]
>
> Additionally, it doesn't matter -- it's just the md5 in the email
> announcement. The Release and Packages files for the archive have SHA1
> and SHA256. The md5 from the announcement is almost not important,
> IMO --
On Fri, Oct 24, 2008 at 10:35:52PM +0200, Sjors Gielen wrote:
> Kees Cook wrote:
> > Additionally, it doesn't matter -- it's just the md5 in the email
> > announcement. The Release and Packages files for the archive have SHA1
> > and SHA256. The md5 from the announcement is almost not important,
* Raphael Geissert:
> Yeah, but remember that the "bad" version must also be a valid .deb file with
> something inside that does work; otherwise you may just be able to get some
> random stuff with the same file size and md5 sum but without any use.
These days, you can generate meaningful collisi
Kees Cook wrote:
> Additionally, it doesn't matter -- it's just the md5 in the email
> announcement. The Release and Packages files for the archive have SHA1
> and SHA256. The md5 from the announcement is almost not important,
> IMO -- no one should download files individually from the announceme
On Fri, Oct 24, 2008 at 03:12:20PM -0500, Raphael Geissert wrote:
> Bas Steendijk wrote:
> >
> > 2 files with a colliding hash can only be made by someone who can
> > influence the creation of the file (thus, someone inside debian). he can
> > make a "good" and a "bad" version of a package with th
Bas Steendijk wrote:
>
> 2 files with a colliding hash can only be made by someone who can
> influence the creation of the file (thus, someone inside debian). he can
> make a "good" and a "bad" version of a package with the same MD5, and
> the same size. for someone to make a file with the same ha
Florian Weimer wrote:
* Bas Steendijk:
i have sent an email a while ago about the security implications of
using MD5 hashes in the security announcements (DSA), but i didn't get
any reply at all from this. has it been overlooked?
I don't know to which address you sent the address, so I don't
Florian Weimer <[EMAIL PROTECTED]> (24/10/2008):
> I don't know to which address you sent the address, so I don't know if
> it's been overlooked.
[EMAIL PROTECTED] aka.
http://lists.debian.org/debian-security/2008/10/msg00030.html
Mraw,
KiBi.
signature.asc
Description: Digital signature
* Bas Steendijk:
> i have sent an email a while ago about the security implications of
> using MD5 hashes in the security announcements (DSA), but i didn't get
> any reply at all from this. has it been overlooked?
I don't know to which address you sent the address, so I don't know if
it's been ov
On Fri, Oct 24, 2008 at 04:01:23PM +0200, Nico Golde wrote:
> Hi Bas,
> * Bas Steendijk <[EMAIL PROTECTED]> [2008-10-24 15:44]:
> > i have sent an email a while ago about the security implications of using
> > MD5
> > hashes in the security announcements (DSA), but i didn't get any reply at
> >
Hi Bas,
* Bas Steendijk <[EMAIL PROTECTED]> [2008-10-24 15:44]:
> i have sent an email a while ago about the security implications of using MD5
> hashes in the security announcements (DSA), but i didn't get any reply at all
> from this. has it been overlooked?
I guess not, it's just strange that
i have sent an email a while ago about the security implications of
using MD5 hashes in the security announcements (DSA), but i didn't get
any reply at all from this. has it been overlooked?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL
20 matches
Mail list logo