1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On July 23, 2003 10:54 pm, Raimundo Bilbao wrote: |
5 |
|
6 |
> Sound great, a P2P gentoo (?), but how do you protect against |
7 |
> trojans, malware and stuffs like that?, is MD5 (AFAIK, currently the |
8 |
> only checksum used) good enough?. |
9 |
|
10 |
There are a couple of features to prevent against that kind of thing. |
11 |
|
12 |
Only files that exist on the official distfiles mirrors will eligible |
13 |
for sharing. In other words users cannot submit new files into the |
14 |
system. |
15 |
|
16 |
MD5's will be used to protect each chunk of data as well as the entire |
17 |
file. All hashes will originate from a central server so there is no |
18 |
opportunity for a malicious user to create a compromised chunk of data |
19 |
and have it accepted by the system. |
20 |
|
21 |
As for the security of MD5, there is no published instance of anyone |
22 |
finding 2 different datasets that produce an identical hash value. MD5 |
23 |
is a 128 bit hash algorithm so in theory it would be be required to |
24 |
calculate approximately 1.2 * sqrt(2^128) different hashes in order to |
25 |
have a 50% chance of a single collision. That would require > 350 |
26 |
billion gigabytes just to store the hashes. I believe MD5 to be secure |
27 |
enough for this application. |
28 |
|
29 |
- -- |
30 |
Fred Van Andel |
31 |
fava@g.o |
32 |
GPG KeyID: 76526AD599455482 |
33 |
GPG fingerprint: 64E4 4BAB 9C99 D565 3E3C F5D0 7652 6AD5 9945 5482 |
34 |
-----BEGIN PGP SIGNATURE----- |
35 |
Version: GnuPG v1.2.2 (GNU/Linux) |
36 |
|
37 |
iD8DBQE/Hi5SdlJq1ZlFVIIRAn+rAKCTzLilqNQjFCfNt9hXkhlZUK/JWwCg8w+a |
38 |
R6YWR9iUF6R0VBU2e18pQ5w= |
39 |
=8wC3 |
40 |
-----END PGP SIGNATURE----- |
41 |
|
42 |
|
43 |
-- |
44 |
gentoo-dev@g.o mailing list |