| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On July 23, 2003 10:54 pm, Raimundo Bilbao wrote: |
| 5 |
|
| 6 |
> Sound great, a P2P gentoo (?), but how do you protect against |
| 7 |
> trojans, malware and stuffs like that?, is MD5 (AFAIK, currently the |
| 8 |
> only checksum used) good enough?. |
| 9 |
|
| 10 |
There are a couple of features to prevent against that kind of thing. |
| 11 |
|
| 12 |
Only files that exist on the official distfiles mirrors will eligible |
| 13 |
for sharing. In other words users cannot submit new files into the |
| 14 |
system. |
| 15 |
|
| 16 |
MD5's will be used to protect each chunk of data as well as the entire |
| 17 |
file. All hashes will originate from a central server so there is no |
| 18 |
opportunity for a malicious user to create a compromised chunk of data |
| 19 |
and have it accepted by the system. |
| 20 |
|
| 21 |
As for the security of MD5, there is no published instance of anyone |
| 22 |
finding 2 different datasets that produce an identical hash value. MD5 |
| 23 |
is a 128 bit hash algorithm so in theory it would be be required to |
| 24 |
calculate approximately 1.2 * sqrt(2^128) different hashes in order to |
| 25 |
have a 50% chance of a single collision. That would require > 350 |
| 26 |
billion gigabytes just to store the hashes. I believe MD5 to be secure |
| 27 |
enough for this application. |
| 28 |
|
| 29 |
- -- |
| 30 |
Fred Van Andel |
| 31 |
fava@g.o |
| 32 |
GPG KeyID: 76526AD599455482 |
| 33 |
GPG fingerprint: 64E4 4BAB 9C99 D565 3E3C F5D0 7652 6AD5 9945 5482 |
| 34 |
-----BEGIN PGP SIGNATURE----- |
| 35 |
Version: GnuPG v1.2.2 (GNU/Linux) |
| 36 |
|
| 37 |
iD8DBQE/Hi5SdlJq1ZlFVIIRAn+rAKCTzLilqNQjFCfNt9hXkhlZUK/JWwCg8w+a |
| 38 |
R6YWR9iUF6R0VBU2e18pQ5w= |
| 39 |
=8wC3 |
| 40 |
-----END PGP SIGNATURE----- |
| 41 |
|
| 42 |
|
| 43 |
-- |
| 44 |
gentoo-dev@g.o mailing list |
Archives