Date: Mon, 12 Mar 2001 10:33:13 +0200 From: Maxim Sobolev <sobomax@FreeBSD.org> To: Trevor Johnson <trevor@jpj.net> Cc: Kris Kennaway <kris@obsecurity.org>, ports@FreeBSD.org, Alistair Crooks <agc@pkgsrc.org> Subject: Re: new message digest support in pkgsrc (fwd) Message-ID: <3AAC89C9.AC5B544D@FreeBSD.org> References: <20010310215713.Q23492-100000@blues.jpj.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Trevor Johnson wrote: > [...] > > Until Moore's Law is repealed, MD5 will only become less difficult to > crack. Cryptographic experts have been recommending its replacement for > some purposes since at least 1995. Better (longer) hash functions can be > calculated by openssl, which is in our base system. The NetBSD and > OpenBSD projects have adopted these functions for their ports (pkgsrc) > collections. The desirability of keeping more information about distfiles > was anticipated by us during last year's reorganization > (http://www.geocrawler.com/mail/msg.php3?msg_id=4418223&list=167), so > the "md5" files have already been renamed. > > I'd like to see: > - the 160-byte hashes permitted (not required) in the distinfo file. > - a "makesum" target which generates all three hashes, using openssl. > - a "checksum" target which uses whichever hashes exist in distinfo. All this applies only if we presume that the checksum checking has any strong security associated with it. I have strong doubts about that, because: 1. No effective attack scheme has been shown yet; 2. I feel that it is much easier to make a new cvsup/mirror server, that will distribute fake distinfo's/trojaned distfiles for selected clients, than perform costly hash search. -Maxim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AAC89C9.AC5B544D>