[Buildroot] [PATCH 2/4] pkg-infra: add possiblity to check downloaded files against known hashes
Peter Korsgaard
peter at korsgaard.com
Sun Nov 8 17:14:35 UTC 2020
>>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:
Hi,
>> I wonder if the gain is worth the extra complexity for our users and in
>> the implementation.
> The implementation is pretty trivial. I have more changes against the
> manual than I have against the code...
yes, I was mainly referring to the first part, E.G. our users. Now the
hash lines are an algorithm prefix and then the output of <alg>sum, but
with the suggested change this is no longer the case.
But yes, it isn't a big complication.
> However, now that I've read a bit more, especially that last article, I
> doubt we'd be susceptible to such attacks. Indeed, LEA target MACs, that
> is signatures. We're not using hashes that way; we just hash files, not
> secrets.
I am not a cryptographer, but I would imagine that creating LEA attacks
against the kind of hashes we have is HARD to do, otherwise a lot of
things would break, and all those upstreams publishing hashes with their
releases would be for nothing.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list