[Rpm-metadata] Re: Rpm-metadata Digest, Vol 16, Issue 5

Randy Zagar zagar at arlut.utexas.edu
Mon Feb 21 20:26:17 UTC 2005 

When you say that it "raises the bar sufficiently", you really ought to
add "for me" to the end of that sentence.  You probably aren't working
for the same set of clients that I am.  In addition to having paranoia
that "goes to 11" as a job requirement, I also have to consider that any
RPM-based system I deliver may be deployed for 20 years.  Given the
current state-of-the-art, and my rather unique customer requirements,
I'd prefer to follow the "tripwire" philosophy which is to never trust
any single signature or checksum.

Plus, I'm not sure what the rationale for opposing an SHA-1 field in the
xml file is based on...  Why aren't ALL rpm metadata fields being
supported in xml?  Wouldn't it be simpler to just say "we support all
metadata fields supported by RPM"?  That way there is no need to
"discuss" whether or not something gets included in the DTD.

Anyway, some of these questions are just rhetorical.  I just brought
this stuff up because I was looking at the sample xml files and didn't
see all the fields I expected to see.  Anyway, feel free to ignore my
rantings if you wish.  My needs are probably an edge-case anyway and I'm
certainly not paying your salary, so handle it how you want...

-RZ


On Mon, 2005-02-21 at 11:00, rpm-metadata-request at lists.dulug.duke.edu
wrote:
> Message: 2
> Date: Sun, 20 Feb 2005 16:38:38 -0500
> From: Jeff Johnson <n3npq at nc.rr.com>
> Subject: Re: [Rpm-metadata] Re: Rpm-metadata Digest, Vol 16, Issue 4
> To: rpm-metadata at lists.dulug.duke.edu
> Message-ID: <4219035E.3090802 at nc.rr.com>
> Content-Type: text/plain; charset=us-ascii; format=flowed
> 
> seth vidal wrote:
> 
> >On Sun, 2005-02-20 at 13:02 -0600, Randy Zagar wrote:
> >  
> >
> >>What makes you think I'm joking?
> >>
> >>The RPMs themselves contain SHA-1, MD5 checksums and GPG signatures.
> >>
> >>Why shouldn't the XML metadata files contain all relevant software
> >>validation metadata?
> >>    
> >>
> >
> >Well, if you want to validate the pkgs you check gpg signatures, not
> >sha1sums or md5sums.
> >
> >so instead of just adding more data w/o any real use to the metadata it
> >would make more sense, to me, to work on gpg signing.
> >
> 
> FYI: The problems are inseperable, DSA is based on SHA-1. If you can
> create a SHA-1 hash collision, then you can spoof DSA.
> 
> Meanwhile, *please* don't include Yet Another Digest everywhere in 
> rpm-metadata,
> nor try to add duplicate md5+sha1 disgests. Even if SHA-1 collisions are 
> now know easier
> than what was originally thought, it's not exactly trivial to do, nor is 
> it going to be
> trivial to create a SHA-1 hash collision for quite some years yet (if ever).
> 
> And even then, having both MD5+SHA1 ain't the right answer, SHA257, or 
> SHA386 or SHA512
> raises the bar sufficiently.
> 
> 73 de Jeff
-- 
Randy Zagar <zagar at arlut.utexas.edu>
Applied Research Laboratories
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.baseurl.org/pipermail/rpm-metadata/attachments/20050221/24a3ca7f/attachment.pgp

More information about the Rpm-metadata mailing list