From: Markos Chandras <Markos.Chandras@imgtec.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] ser2net: Add a hash file
Date: Wed, 8 Oct 2014 12:25:54 +0100 [thread overview]
Message-ID: <54351F42.2090800@imgtec.com> (raw)
In-Reply-To: <5435155D.4020903@zacarias.com.ar>
On 10/08/2014 11:43 AM, Gustavo Zacarias wrote:
> On 10/08/2014 07:18 AM, Markos Chandras wrote:
>> I understand that, but realistically speaking, supporting so many
>> different hashes is not very efficient. If an upstream uses weak hashes
>> for released tarballs, just verify the weak hash on your local pc and
>> then generate a strong hash yourself. Is there really a point having a
>> week md5 and a strong sha256 hash at the same time?
>
> "strong" hashes are so for now, weak hashes were strong at the time too
> remember, they're, grossly said, glorified checksums/CRCs (which were
> also considered well enough until the data set and computation power grew).
> If you truly want to ensure a certain degree of tamper resistance you
> need to go to the 2-way collision.
> After all a single value of 256 or 512 bits representing a file of 1 MB
> of compressed data is bound to hit some issue eventually.
> With two different hashing methods it's statistically very complex to
> win the lottery.
> Regards.
>
Sure. But this probably is not a strong argument because for all I know
they may find sha256 broken tomorrow morning and you have to update all
the buildroot packages using that hash to verify the tarball. If you
think something is "not strong enough" then don't use it :)
Perhaps it's best if buildroot supported the two strongest algorithms
and request that information for every package? I really see no point
supporting eg md5 since we know it's weak. Anyway, that's my personal
opinion, I just feel there is no clear "rule" here so developers are
free to use whatever they want which may not always be acceptable by the
maintainers :)
--
markos
next prev parent reply other threads:[~2014-10-08 11:25 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-07 14:30 [Buildroot] [PATCH] ser2net: Fix compilation failures due to missing TIOCSRS485 macro Vicente Olivert Riera
2014-10-07 14:30 ` [Buildroot] [PATCH] ser2net: Add a hash file Vicente Olivert Riera
2014-10-07 17:23 ` Thomas Petazzoni
2014-10-08 8:57 ` Vicente Olivert Riera
2014-10-08 9:20 ` Thomas Petazzoni
2014-10-08 9:25 ` Vicente Olivert Riera
2014-10-08 9:37 ` Markos Chandras
2014-10-08 9:41 ` Vicente Olivert Riera
2014-10-08 10:04 ` Peter Korsgaard
2014-10-08 10:11 ` Gustavo Zacarias
2014-10-08 10:18 ` Markos Chandras
2014-10-08 10:43 ` Gustavo Zacarias
2014-10-08 11:25 ` Markos Chandras [this message]
2014-10-08 11:35 ` Gustavo Zacarias
2014-10-29 21:58 ` Thomas Petazzoni
2014-10-07 14:33 ` [Buildroot] [PATCH] ser2net: Fix compilation failures due to missing TIOCSRS485 macro Yegor Yefremov
2014-10-07 17:28 ` Thomas Petazzoni
2014-10-07 19:34 ` Yegor Yefremov
2014-10-07 20:15 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54351F42.2090800@imgtec.com \
--to=markos.chandras@imgtec.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox