From owner-freebsd-ports Mon Mar 12 0:33:39 2001 Delivered-To: freebsd-ports@freebsd.org Received: from blizzard.sabbo.net (ns.sabbo.net [193.193.218.18]) by hub.freebsd.org (Postfix) with ESMTP id E56C637B719 for ; Mon, 12 Mar 2001 00:33:32 -0800 (PST) (envelope-from sobomax@FreeBSD.org) Received: from vic.sabbo.net (root@vic.sabbo.net [193.193.218.112]) by blizzard.sabbo.net (8.10.1/8.10.1) with ESMTP id f2C8XBJ02771; Mon, 12 Mar 2001 10:33:14 +0200 Received: from FreeBSD.org (big_brother.vega.com [192.168.1.1]) by vic.sabbo.net (8.11.2/8.11.2) with ESMTP id f2C8XEG84802; Mon, 12 Mar 2001 10:33:14 +0200 (EET) (envelope-from sobomax@FreeBSD.org) Message-ID: <3AAC89C9.AC5B544D@FreeBSD.org> Date: Mon, 12 Mar 2001 10:33:13 +0200 From: Maxim Sobolev Organization: Vega International Capital X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: uk,ru,en MIME-Version: 1.0 To: Trevor Johnson Cc: Kris Kennaway , ports@FreeBSD.org, Alistair Crooks Subject: Re: new message digest support in pkgsrc (fwd) References: <20010310215713.Q23492-100000@blues.jpj.net> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Trevor Johnson wrote: > [...] > > Until Moore's Law is repealed, MD5 will only become less difficult to > crack. Cryptographic experts have been recommending its replacement for > some purposes since at least 1995. Better (longer) hash functions can be > calculated by openssl, which is in our base system. The NetBSD and > OpenBSD projects have adopted these functions for their ports (pkgsrc) > collections. The desirability of keeping more information about distfiles > was anticipated by us during last year's reorganization > (http://www.geocrawler.com/mail/msg.php3?msg_id=4418223&list=167), so > the "md5" files have already been renamed. > > I'd like to see: > - the 160-byte hashes permitted (not required) in the distinfo file. > - a "makesum" target which generates all three hashes, using openssl. > - a "checksum" target which uses whichever hashes exist in distinfo. All this applies only if we presume that the checksum checking has any strong security associated with it. I have strong doubts about that, because: 1. No effective attack scheme has been shown yet; 2. I feel that it is much easier to make a new cvsup/mirror server, that will distribute fake distinfo's/trojaned distfiles for selected clients, than perform costly hash search. -Maxim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message