On Fri, Dec 15, 2006 at 06:34:37PM +0100, Christian Boltz wrote: > Am Mittwoch, 13. Dezember 2006 10:33 schrieb Javier Fernández-Sanguino > Peña: > > In order for your md5sum "attack" to really work you have to crack > > *all* mirrors or the user has a ~1/38 chance on stumbling on the > > package that has been replaced by a cracker. Not a very good attack > > IMHO. > > Or the user would despair of 37 "broken" mirrors and be "happy" to > finally find the "good" one ;-)
I guess if really values the md5sum so much, he will probably not fall for a false link in the first place ;) > > Anyway, we could be discussing about this for days. I agree that the > > md5sum should not be taken verbatim from the user's input but, I > > understand, that's something that is fixed in the next release of the > > scripts. > > BTW: The current state of only allowing [0-9a-f] doesn't really help > because one can still inject wrong MD5SUMs. It just prevents some > jokes. Indeed. > > If other's think this should be fixed *right*now* then I > > think the only sensible option is to remove the md5sum information > > from the download page altogether and put it in the packages page > > with the autogenerated content in a cell next to "Installed size". > > Sounds like a very good idea. Please do this change. We should probably use the sha256sum instead, because we have that too nowadays... Anyway, I will happily accept any patches to do just that. Otherwise it will probably have to wait until after christmas (I guess a few days don't hurt since the problem is now at least four years old according to the CVS log). Gruesse, -- Frank Lichtenheld <[EMAIL PROTECTED]> www: http://www.djpig.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
