On Tue, Mar 10, 2009 at 07:52:32PM +0200, Jonathan Dieter wrote:
On Tue, 2009-03-10 at 19:41 +0200, Jonathan Dieter wrote:
> Ok, I've been trying this, but how can we tell if the sequence is sha256
> or md5 if we're *just* given the sequence (i.e. applydeltarpm -c -s
> audit-libs-1.7.12-1.fc11-04548395de7d18795d88b32ea98897e90140 where it's
> a sha256 sequence)?
Ok, I've got it. We just check against md5 first, then sha256 if md5
doesn't match. It's not elegant, but it should work fine, especially
since we're only checking for verification, *not* security.
Jonathan
Sorry for jumping in that late, but assuming a malicious deltarpm that
could fake a matching md5 sum to pass validation, wouldn't it get
applied and make that a security issue?
--
Axel.Thimm at
ATrpms.net