| 1 |
At the moment, |
| 2 |
The MD5 (and theoretical SHA1) attacks create two pieces of data that |
| 3 |
hash to the same value. As I understand it, neither piece of data can |
| 4 |
be chosen at the moment, and tend to be long and fairly random. Also, |
| 5 |
the attacks that you're proposing to protect against must be coming from |
| 6 |
an untrusted user (since a dev with a signing key could always sign some |
| 7 |
malicious ebuild). |
| 8 |
So now the task is for an untrusted user to get a dev to sign some long |
| 9 |
random value that hashes to one thing, and then replace it with a |
| 10 |
different long random value when a user finally downloads it. It must |
| 11 |
then be interpreted by portage and execute some malicious code (and if |
| 12 |
I've read news about savior correctly, this will be sandboxed until the |
| 13 |
merge stage, so most of the ebuild must be valid). Does this not seem a |
| 14 |
little unlikely? Will the cost of making every gentoo user (and devs |
| 15 |
when creating/testing ebuilds) hash every file (at least) twice over be |
| 16 |
less than the benefits of protecting against this attack? |
| 17 |
If portage can already handle multiple hash formats, then perhaps it |
| 18 |
would just be best to start shifting the default hashing algorithm from |
| 19 |
MD5 to SHA-256 or greater (which if you're going off schneier's tips for |
| 20 |
safety is just about safe at the moment), rather than requiring multiple |
| 21 |
hashes and guessing about their combined security? By the time every |
| 22 |
manifest is signed, the digests inside it will presumably have been |
| 23 |
regenerated, and replaced by the latest default hash when that happened. |
| 24 |
Having to maintain backwards compatibility with old versions of portage |
| 25 |
is a good idea, however just how far back must be supported? I'm afraid |
| 26 |
I don't know how long multiple hashes have been supported. The earliest |
| 27 |
version in the tree at the moment is 2.0.51.22. If someone is getting |
| 28 |
new hashes, they must have synced recently and been informed that they |
| 29 |
need to upgrade portage. To carry on with the old portage (moreover a |
| 30 |
version of portage so old it doesn't support multiple hashes) would be |
| 31 |
asking for incompatibilities to arise. It would then surely be enough |
| 32 |
to leave MD5 sums only with the portage package (and any dependencies) |
| 33 |
so that portage could be successfully upgraded. |
| 34 |
Please note, this is not a "my crypto's bigger than your crypto" |
| 35 |
comment, it's just asking whether it's the most practical solution for |
| 36 |
the users or if there's another option? Thanks for your time, |
| 37 |
Mike 5:) |
| 38 |
-- |
| 39 |
gentoo-portage-dev@g.o mailing list |
Archives