1 |
At the moment, |
2 |
The MD5 (and theoretical SHA1) attacks create two pieces of data that |
3 |
hash to the same value. As I understand it, neither piece of data can |
4 |
be chosen at the moment, and tend to be long and fairly random. Also, |
5 |
the attacks that you're proposing to protect against must be coming from |
6 |
an untrusted user (since a dev with a signing key could always sign some |
7 |
malicious ebuild). |
8 |
So now the task is for an untrusted user to get a dev to sign some long |
9 |
random value that hashes to one thing, and then replace it with a |
10 |
different long random value when a user finally downloads it. It must |
11 |
then be interpreted by portage and execute some malicious code (and if |
12 |
I've read news about savior correctly, this will be sandboxed until the |
13 |
merge stage, so most of the ebuild must be valid). Does this not seem a |
14 |
little unlikely? Will the cost of making every gentoo user (and devs |
15 |
when creating/testing ebuilds) hash every file (at least) twice over be |
16 |
less than the benefits of protecting against this attack? |
17 |
If portage can already handle multiple hash formats, then perhaps it |
18 |
would just be best to start shifting the default hashing algorithm from |
19 |
MD5 to SHA-256 or greater (which if you're going off schneier's tips for |
20 |
safety is just about safe at the moment), rather than requiring multiple |
21 |
hashes and guessing about their combined security? By the time every |
22 |
manifest is signed, the digests inside it will presumably have been |
23 |
regenerated, and replaced by the latest default hash when that happened. |
24 |
Having to maintain backwards compatibility with old versions of portage |
25 |
is a good idea, however just how far back must be supported? I'm afraid |
26 |
I don't know how long multiple hashes have been supported. The earliest |
27 |
version in the tree at the moment is 2.0.51.22. If someone is getting |
28 |
new hashes, they must have synced recently and been informed that they |
29 |
need to upgrade portage. To carry on with the old portage (moreover a |
30 |
version of portage so old it doesn't support multiple hashes) would be |
31 |
asking for incompatibilities to arise. It would then surely be enough |
32 |
to leave MD5 sums only with the portage package (and any dependencies) |
33 |
so that portage could be successfully upgraded. |
34 |
Please note, this is not a "my crypto's bigger than your crypto" |
35 |
comment, it's just asking whether it's the most practical solution for |
36 |
the users or if there's another option? Thanks for your time, |
37 |
Mike 5:) |
38 |
-- |
39 |
gentoo-portage-dev@g.o mailing list |