[Buildroot] [PATCH 2/4] pkg-infra: add possiblity to check downloaded files against known hashes

Peter Korsgaard peter at korsgaard.com
Sun Nov 8 17:14:35 UTC 2020


>>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:

Hi,

 >> I wonder if the gain is worth the extra complexity for our users and in
 >> the implementation.

 > The implementation is pretty trivial. I have more changes against the
 > manual than I have against the code...

yes, I was mainly referring to the first part, E.G. our users. Now the
hash lines are an algorithm prefix and then the output of <alg>sum, but
with the suggested change this is no longer the case.

But yes, it isn't a big complication.


 > However, now that I've read a bit more, especially that last article, I
 > doubt we'd be susceptible to such attacks. Indeed, LEA target MACs, that
 > is signatures. We're not using hashes that way; we just hash files, not
 > secrets.

I am not a cryptographer, but I would imagine that creating LEA attacks
against the kind of hashes we have is HARD to do, otherwise a lot of
things would break, and all those upstreams publishing hashes with their
releases would be for nothing.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list