Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for June 20, 2013
Pencil, Pencil, and Pencil
Dividing the Linux desktop
LWN.net Weekly Edition for June 13, 2013
A report from pgCon 2013
Another party has submitted a contested version of events. We have no reason to treat his version as canoncial. LWN did the right thing in pointing to his reply.
And regardless, the wider issue about their attitude to security still stands, regardless of whose story you choose to believe.
McGee: The real story behind Arch Linux package signing
Posted Mar 25, 2011 14:14 UTC (Fri) by tialaramex (subscriber, #21167)
Consider the smoking gun. A bug is filed. The bug has code in it which helps fix a problem. Plenty of people leap on the chance to assert that it's irrelevant to the problem. None of them seem to really understand or explain why MD5 isn't a problem here. McGee makes an unsupported claim about relative likelihood of different attack scenarios, and says the patch as provided isn't acceptable because of its format.
The poster asks for reassurance that reformatting will result in acceptance. He hears nothing for three weeks.
Until the LWN article is published, whereupon magically the change at the top of the bug is applied along with a bug fix and the ticket is closed without comment. Spooky.
Plausible MD5 collision attacks rely on the party who makes package A (the "good" package) colluding with the party that makes package B (the "bad" package) to enable the collision so that A and B have the same hash. This is a serious problem in MD5, but it's not clear that it's a practical threat to a Linux distribution. Still, using SHA256 can't hurt.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds