public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
From: Fred Van Andel <fava@gentoo.org>
To: gentoo-dev@gentoo.org
Subject: Re: [gentoo-dev] (crazy?) proposal to reduce load and disk on mirrors
Date: Tue, 22 Jul 2003 23:42:26 -0700	[thread overview]
Message-ID: <200307222342.26941.fava@gentoo.org> (raw)
In-Reply-To: <20030724015453.5079e993.rbilbao@inzignia.cl>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On July 23, 2003 10:54 pm, Raimundo Bilbao wrote:

> Sound great, a P2P gentoo (?), but how do you protect against
> trojans, malware and stuffs like that?, is MD5 (AFAIK, currently the
> only checksum used) good enough?.

There are a couple of features to prevent against that kind of thing.

Only files that exist on the official distfiles mirrors will eligible 
for sharing. In other words users cannot submit new files into the 
system. 

MD5's will be used to protect each chunk of data as well as the entire 
file. All hashes will originate from a central server so there is no 
opportunity for a malicious user to create a compromised chunk of data 
and have it accepted by the system.

As for the security of MD5, there is no published instance of anyone 
finding 2 different datasets that produce an identical hash value. MD5 
is a 128 bit hash algorithm so in theory it would be be required to 
calculate approximately 1.2 * sqrt(2^128) different hashes in order to 
have a 50% chance of a single collision. That would require > 350 
billion gigabytes just to store the hashes. I believe MD5 to be secure 
enough for this application.

- -- 
Fred Van Andel
fava@gentoo.org
GPG KeyID: 76526AD599455482  
GPG fingerprint: 64E4 4BAB 9C99 D565 3E3C F5D0 7652 6AD5 9945 5482
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/Hi5SdlJq1ZlFVIIRAn+rAKCTzLilqNQjFCfNt9hXkhlZUK/JWwCg8w+a
R6YWR9iUF6R0VBU2e18pQ5w=
=8wC3
-----END PGP SIGNATURE-----


--
gentoo-dev@gentoo.org mailing list


  reply	other threads:[~2003-07-24  6:44 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-07-23 19:48 [gentoo-dev] The release of 1.4 and its impact on our mirrors Kurt Lieber
2003-07-23  8:40 ` Alvaro Figueroa Cabezas
2003-07-23 21:01   ` Kurt Lieber
2003-07-23  9:28     ` Alvaro Figueroa Cabezas
2003-07-23  9:30       ` Alvaro Figueroa Cabezas
2003-07-24  0:11       ` [gentoo-dev] " Pieter Van den Abeele
2003-07-24  0:55         ` Nathaniel McCallum
2003-07-24  2:07           ` [gentoo-dev] Python on the liveCD Nathaniel McCallum
2003-07-24  9:29             ` Seemant Kulleen
2003-07-23 20:36 ` [gentoo-dev] The release of 1.4 and its impact on our mirrors Matthew Walker
2003-07-23 20:39 ` Tal Peer
2003-07-23 21:10   ` Jon Portnoy
2003-07-23 21:41   ` Alec Berryman
2003-07-24  7:35 ` [gentoo-dev] (crazy?) proposal to reduce load and disk on mirrors Håvard Wall
2003-07-23  5:50   ` Fred Van Andel
     [not found]     ` <3F1F9174.6010504@ifi.uio.no>
2003-07-23  6:04       ` Fred Van Andel
2003-07-24  5:54   ` Raimundo Bilbao
2003-07-23  6:42     ` Fred Van Andel [this message]
2003-07-24  7:30       ` Robin H.Johnson
2003-07-23  7:53         ` Fred Van Andel
2003-07-24  6:35     ` bdharring
2003-07-23  7:22       ` Fred Van Andel
2003-07-24  9:32   ` Mix Sella
2003-07-24 16:39   ` gerrynjr
2003-07-24 15:59     ` Tom Payne

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200307222342.26941.fava@gentoo.org \
    --to=fava@gentoo.org \
    --cc=gentoo-dev@gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox