You are not logged in.
I wonder whether there is a specific reason for the integrity check in /etc/makepkg.conf to default to md5, since md5 is broken in terms of collisions.
Doesn't that enable evil people to use two different files where the integrity check should actually ensure that only one is served?
Edit: as the title suggests I thought it would change with pacman 4.1.0 :)
Last edited by heinrich5991 (2013-04-04 23:31:48)
Offline
It is a quick download integrity check, not a source integrity check (PGP signatures should be used instead). And you can change it to whatever you want...
Offline
It is a quick download integrity check, not a source integrity check (PGP signatures should be used instead). And you can change it to whatever you want...
It's not about the source check, I think I'm aware of that. However it is in place to ensure that all people having the same checksum in the PKGBUILD should get the *same* sources, which md5 isn't able to provide.
Offline
Why md5 is not able to provide? A collision was generated once for server certificates, but doing a collision for a package is (as far as I know) impossible nowadays. We should move out from md5, but the probability of having a collision on data packages is very near to 0. Am I missing something?
Offline