[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Deltarpm *not* ready for new RPM checksums (was Re: Ready for new RPM version?)



On Tue, Mar 10, 2009 at 07:52:32PM +0200, Jonathan Dieter wrote:
> On Tue, 2009-03-10 at 19:41 +0200, Jonathan Dieter wrote:
> > Ok, I've been trying this, but how can we tell if the sequence is sha256
> > or md5 if we're *just* given the sequence (i.e. applydeltarpm -c -s
> > audit-libs-1.7.12-1.fc11-04548395de7d18795d88b32ea98897e90140 where it's
> > a sha256 sequence)?
> 
> Ok, I've got it.  We just check against md5 first, then sha256 if md5
> doesn't match.  It's not elegant, but it should work fine, especially
> since we're only checking for verification, *not* security.
> 
> Jonathan

Sorry for jumping in that late, but assuming a malicious deltarpm that
could fake a matching md5 sum to pass validation, wouldn't it get
applied and make that a security issue?
-- 
Axel.Thimm at ATrpms.net

Attachment: pgpTcQBPec4nU.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]