RPM submission procedure

[Enrico Scholz]

skvidal at phy.duke.edu (seth vidal) writes:

>> (BTW SHA please MD5 has flaws 8)
>
> What flaws in particular?

md5 is not collision resistant. An attacker could create a bad and a good
rpm-package. Both could be modified in such a way that they stay valid
rpm-packages but differ at some places (e.g. in padding bits). When having
e.g. 64 such bits, you could create 2^64 different but valid packages.

For the 128 bit md5sum, it is very likely (at least for common security
purposes) that you can find a matching good-bad package-pair within this
2^64 possibilities (birthday attack). Now, attacker places good package
into the QA-queue and waits for the review. Then, he replaces it with
the bad package (with same md5sum) and fedora.us will have a malicious
package...


This attack can be prevented by two ways:

* use better hash-function (e.g. 160 bit SHA1), or
* speedup QA process so that it is faster than the dup-finding process;)


I do not know numbers about the duration of md5sum birthday attacks, but
IMO they are *not* an issue for current QA process...



Enrico