Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.security > #6359
| From | Jeremy Stanley <fungi@yuggoth.org> |
|---|---|
| Newsgroups | linux.debian.security |
| Subject | Re: dpkg MD5 |
| Date | 2024-11-08 01:30 +0100 |
| Message-ID | <JGl2V-7mo3-1@gated-at.bofh.it> (permalink) |
| References | <JGiRr-7kXL-1@gated-at.bofh.it> |
| Organization | linux.* mail to news gateway |
[Multipart message — attachments visible in raw view] - view raw
On 2024-11-07 16:45:54 -0500 (-0500), David Campbell wrote: [...] > dpkg currently uses MD5 to verify packages, but MD5 is considered > insecure, why not switch to SHA256 (and also update lintian)? [...] MD5 is considered insecure to collision attacks, but mounting one would require that the creator of the original file intentionally pick content that can hash to the same value as some malicious content (and even that is nontrivial, but let's set that aside for the moment). https://en.wikipedia.org/wiki/Collision_attack What you're probably worried about is preimage resistance of the algorithm (and in particular, second preimage resistance, which is what keeps some random attacker from creating a file which hashes to the same value as a known good file). https://en.wikipedia.org/wiki/Preimage_attack MD5's preimage resistance is not in question presently, that I've heard, and it would be pretty big news in the cryptography community if it were. > Please, include my email address in the CC if you respond to this > message. I am not subscribed to the mailing list. [...] Sorry, GMail doesn't accept messages from my mailserver, and I'm not going to bother jumping through hoops just to appease them. Anyone who's interested in Debian security matters should subscribe to the mailing list or read its archives in a Web browser at the very least. -- Jeremy Stanley
Back to linux.debian.security | Previous | Next — Previous in thread | Next in thread | Find similar
dpkg MD5 David Campbell <dcampbell24@gmail.com> - 2024-11-07 23:10 +0100
Re: dpkg MD5 Jonathan Hutchins <hutchins@tarcanfel.org> - 2024-11-07 23:20 +0100
Re: dpkg MD5 David Campbell <dcampbell24@gmail.com> - 2024-11-07 23:40 +0100
Re: dpkg MD5 Jeremy Stanley <fungi@yuggoth.org> - 2024-11-08 01:30 +0100
Re: dpkg MD5 Jeffrey Walton <noloader@gmail.com> - 2024-11-08 03:40 +0100
Re: dpkg MD5 Jeremy Stanley <fungi@yuggoth.org> - 2024-11-08 04:20 +0100
Re: dpkg MD5 debianmailinglists.hz5zm@simplelogin.com - 2024-11-08 05:20 +0100
Re: dpkg MD5 Jeremy Stanley <fungi@yuggoth.org> - 2024-11-08 16:50 +0100
Re: dpkg MD5 SZÉPE Viktor <viktor@szepe.net> - 2024-11-08 17:00 +0100
Re: dpkg MD5 Jeremy Stanley <fungi@yuggoth.org> - 2024-11-08 18:30 +0100
Re: dpkg MD5 Jeffrey Walton <noloader@gmail.com> - 2024-11-08 06:20 +0100
Re: dpkg MD5 Jeffrey Walton <noloader@gmail.com> - 2024-11-08 20:40 +0100
Re: dpkg MD5 Jeffrey Walton <noloader@gmail.com> - 2024-11-08 06:30 +0100
Re: dpkg MD5 Simon Josefsson <simon@josefsson.org> - 2024-11-08 10:10 +0100
csiph-web