On Feb 16, 2008, at 01:49, William Allen Simpson wrote:
On 2/15/08, Eric Hall wrote:
I believe there are attacks against MD5 that make it insufficient to verify that the "right" distfile was downloaded.
You believe incorrectly. All known attacks require that the generator of the tarball is compromised. That is, there are no preimage or second preimage attacks.
As Yet, nobody has successfully completed any of my MD4 or MD5 challenges, announced on the cryptography and NIST hash lists....
Do you remember the PDF example from several years back?
Yes. A parlor trick. Irrelevant to using MD5 as designed.
Are there other game-over equivalences involved (attacker is the distfile author, or has compromised the distfile server so can (either way) push out a shiny-new version with exploits baked in)? Yuppers.
And that is the only relevant issue. Something that a hash cannot solve.
As long as we ONLY use hashes generated by the distfile author, located on the distfile site, and NEVER generate our own, we'll be fine.
But we don't do that. At least, I'm constantly generating my own checksums for my portfiles. The developers of most of my ports do not provide checksums.