For sure he would not try to play with rogue signatures but use some simple vulnerability to get access to a developer's machine or an FTP server or whatever. This is far easier in terms of time needed and cost involved than anything else. The signatures on packages are okay, but what does such a signature actually tell us: The package has been created by a project's developer! It does not tell us how diligent he manages his machine, from where he got the upstream source, what tools he used for building and editing, how strong the door to his room is protected, how he manages his secret key, what other software is running on the development box, whether he uses HTML mail (like the author of the article) and thus possible easier to attack mail readers, and so forth.
Precomputed collisions in a properly setup PKI, like the one used by Debian, requires the secret key of the developer. Thus such an attack is irrelevant - we can't protect ourself against a rogue developer.
Rushing out mainly unneeded fixes is one thing, preparing for the future is better and that is what we are doing with GnuPG. In a few years we will have a large installation base of modern GnuPG versions and then switching to a more modern algorithm will be far easier than what Daniel is currently proposing.
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds