McGee: The real story behind Arch Linux package signing

At least some of what's claimed by McGee is contradicted by his own sources. In some places he even directly contradicts himself. Overall my take on this is "Wah, it's mean that people said these thing things about us, even if they were true, they should shut up about it". The attack on LWN itself would be more convincing if he'd said this six months ago, or six years from now, rather than immediately after an article that is critical of him and his project.

Consider the smoking gun. A bug is filed. The bug has code in it which helps fix a problem. Plenty of people leap on the chance to assert that it's irrelevant to the problem. None of them seem to really understand or explain why‡ MD5 isn't a problem here. McGee makes an unsupported claim about relative likelihood of different attack scenarios, and says the patch as provided isn't acceptable because of its format.

The poster asks for reassurance that reformatting will result in acceptance. He hears nothing for three weeks.

Until the LWN article is published, whereupon magically the change at the top of the bug is applied along with a bug fix and the ticket is closed without comment. Spooky.

‡ Plausible MD5 collision attacks rely on the party who makes package A (the "good" package) colluding with the party that makes package B (the "bad" package) to enable the collision so that A and B have the same hash. This is a serious problem in MD5, but it's not clear that it's a practical threat to a Linux distribution. Still, using SHA256 can't hurt.