Deltarpm *not* ready for new RPM checksums (was Re: Ready for new RPM version?)
Axel Thimm
Axel.Thimm at ATrpms.net
Sat Apr 18 13:58:16 UTC 2009
On Tue, Mar 10, 2009 at 07:52:32PM +0200, Jonathan Dieter wrote:
> On Tue, 2009-03-10 at 19:41 +0200, Jonathan Dieter wrote:
> > Ok, I've been trying this, but how can we tell if the sequence is sha256
> > or md5 if we're *just* given the sequence (i.e. applydeltarpm -c -s
> > audit-libs-1.7.12-1.fc11-04548395de7d18795d88b32ea98897e90140 where it's
> > a sha256 sequence)?
>
> Ok, I've got it. We just check against md5 first, then sha256 if md5
> doesn't match. It's not elegant, but it should work fine, especially
> since we're only checking for verification, *not* security.
>
> Jonathan
Sorry for jumping in that late, but assuming a malicious deltarpm that
could fake a matching md5 sum to pass validation, wouldn't it get
applied and make that a security issue?
--
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20090418/8d829861/attachment.bin
More information about the devel
mailing list