FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 10-15-2012, 05:46 PM
Michael Gilbert
 
Default Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)

On Sun, Oct 14, 2012 at 9:08 PM, Christoph Anton Mitterer wrote:
>> If so, please submit
>> bugs, and we will look at fixing them. Otherwise, speculation gets us
>> nowhere and actually wastes time.
> Well I had once a discussion (around March this year) here about
> blockin/downgrade attacks... which, AFAICS, both are possible in secure
> APT right now.... but there was no real outcome.
> Unforunately it seems that people do not take these higher-level attacks
> really serious.... even though the danger they impose is quite high.

Are there bug reports with a clear description of the problem,
preferably with a proposed fix? Discussion doesn't really get us
anywhere. Useful info and actual efforts at fixing problems do.

Best wishes,
Mike


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CANTw=MOLY-7t_=-ZBOaBThnmQg7J9H7wXbQS_K+2up6V84+E5A@mail.gmail.com
 
Old 10-15-2012, 11:26 PM
Dmitrijs Ledkovs
 
Default Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)

On 15 October 2012 18:46, Michael Gilbert <mgilbert@debian.org> wrote:
> On Sun, Oct 14, 2012 at 9:08 PM, Christoph Anton Mitterer wrote:
>>> If so, please submit
>>> bugs, and we will look at fixing them. Otherwise, speculation gets us
>>> nowhere and actually wastes time.
>> Well I had once a discussion (around March this year) here about
>> blockin/downgrade attacks... which, AFAICS, both are possible in secure
>> APT right now.... but there was no real outcome.
>> Unforunately it seems that people do not take these higher-level attacks
>> really serious.... even though the danger they impose is quite high.
>
> Are there bug reports with a clear description of the problem,
> preferably with a proposed fix? Discussion doesn't really get us
> anywhere. Useful info and actual efforts at fixing problems do.
>

So far no bugs or problems were uncovered. So nothing to file or fix ;-)

I can think of adding SHA-3 hashes... but none of the tools support it
yet, so it's future wishlist bug, which I am sure will be acted upon
at an appropriate time and doesn't need a bug filed at present time.

Regards,

Dmitrijs.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CANBHLUgZqkK5Li8K4Xr67g25DLNTEDivRXLWxaTgUzOsfAPDE w@mail.gmail.com">http://lists.debian.org/CANBHLUgZqkK5Li8K4Xr67g25DLNTEDivRXLWxaTgUzOsfAPDE w@mail.gmail.com
 

Thread Tools




All times are GMT. The time now is 08:07 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org