1 |
On Tue, Feb 10, 2004 at 09:00:03AM +0100, shoehn@××××××××××××××××××××.info wrote: |
2 |
> I don't consider all these checks very useful. How can I be sure the |
3 |
> files emerge downloaded are really the correct ones? I guess if |
4 |
> someone would try fool me with the help of the portage system he |
5 |
> would change the version of portage with a "bad" one, that would |
6 |
> obtain the "bad" files from an evil server, but with correct |
7 |
> MD5 sums. So noone would realize that unless the tampered copy of |
8 |
> portage is detected. |
9 |
|
10 |
This is computationally infeasable - even the worst break on the MD5 |
11 |
algorithm only brings it down to an effective complexity of 2^80 or so. |
12 |
That means an average of 2^40 files must be created and hashed before |
13 |
a correctly-hashing file is made - that's about 10^12 files. Even if |
14 |
someone can hash 100 files a second, that's around a year. |
15 |
|
16 |
-- |
17 |
When a true genius appears in the world, you may know him by this sign, that the dunces are all in confederacy against him. - Jonathan Swift |
18 |
|
19 |
-- |
20 |
gentoo-security@g.o mailing list |